A new twist on a W2 tax scam
There's a new twist on a tax scam that might put filers' information at risk: fraudsters pretending to be a company's CEO.
The approach is a technique involving phishing, when thieves pretend to be someone or something they aren't, such as a bank employee, and ask unsuspecting people for personal information such as Social Security numbers. The fraudster's goal is to gather enough data to file a fake claim on the filer's behalf, pocketing their refund.
Now there's a twist on the phishing scam, with security site Krebs on Security reporting that some scammers are targeting workers in human resources or accounting. The fraudsters send an email to those workers, purporting to be their CEO and asking for the company employees' W2 forms. In one fell swoop, a scammer theoretically could be handed data for hundreds or thousands of workers.
In one case cited by Krebs, a company's controller received an email that looked as if it were sent by its chief executive. The email asked for all employee W2 forms to be sent to him.
"I want you to send me the list of W2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap," the email read.
The controller, however, didn't have the information and referred the request to the company's CFO, who had just completed a security awareness training class and thought it seemed "phishy," the site noted. The CEO told Krebs he "congratulated them on a good catch."
An employee in the payroll department at Snapchat was apparently not as well versed in email scams, with the photo sharing company on Sunday saying it had been the victim of a phishing scam in which a scammer impersonated Snapchat's CEO and asked for employee payroll information. "A number of our employees have now had their identity compromised," the company said in a statement.
While there's not much tax filers can do to ensure someone else (like an HR or accounting executive in their company) remains alert to phishing scams, there are several ways that consumers can protect themselves.
Phishing scams are based on a consumer's trust for authority, relying on social engineering to convince victims to act in a way they might not normally behave. That's why it's important to keep up one's guard, even if an email purports to be from the IRS, your employer, or a financial institution. Unsolicited emails, texts, social media posts or links to websites should be viewed with caution, according to the National CyberSecurity Alliance.
Phishing scams, which are on the IRS' 2016 "Dirty Dozen" list, can also rely on hacked emails or send emails under another person's name, with the latter being the case with the CEO twist. Often, the emails or websites won't be legitimate, so a consumers' first step should be to carefully check the addresses in the purported email or message. If you have any questions, check with the institution or person who supposedly sent the email.
Some phishing scams are engineered to cause malware to download onto victims' computers, according to the National CyberSecurity Alliance. Because of that, it recommends deleting any email that looks off.
"If it looks weird, even if you know the source, it's best to delete," the group recommends.