Tax season is when CEO fraud and W-2 phishing scams are at their highest, and the threat is growing exponentially every year. (Image: Shutterstock)

As human resources professionals continue to concentrate on assessing the needs of their organizations, one key area to focus on is preventing the theft of sensitive personal and business information. In 2017, we witnessed the most data breaches on record, with more than 15 percent more security incidents reported than in 2016. These data breaches exposed the Personally Identifiable Information (PII) of hundreds of millions of people, and caused billions of dollars’ worth of damage. Beyond monetary losses, the emotional fallout of being hacked can be equally devastating to individuals and families. 

Employees whose information has been compromised from a fraudster exploiting their HR department will spend dozens to hundreds of hours out of the office to restore their identities. They’ll feel a sense of betrayal from their company, hurting both morale and loyalty.

If the breach makes the news, the organization will have a public relations nightmare on its hands. Dealing with customer, employee and media inquiries alone will become a full-time job. Furthermore, if you or your department is the source of the breach, your job and reputation will be in jeopardy.

Protecting your employees’ PII should be a year-round initiative, but is especially important during the first quarter of the year. Tax season is when CEO fraud and W-2 phishing scams are at their highest, and the threat is growing exponentially every year. According to the IRS Return Integrity Compliance Services, reports of W-2 phishing emails increased 870 percent from 2016 to 2017. For individuals reporting identity theft due to tax fraud, IdentityForce recorded a 30 percent increase from 2016 to 2017.

On the business side, IdentityForce recorded more than a 60 percent year-over-year increase in organizations seeking identity theft protection – for either their employees or customers – because of personal information being compromised. 

The fraudsters who perpetrate this type of theft are highly sophisticated, readying their tactics and targets well before tax season begins. One of the primary ways that cybercriminals gain access to employees’ tax information is through what is known as a Business Email Compromise (BEC) scam. You may have heard this referred to as “spear phishing.”

BEC’s occur when the email address of one of your company’s executives (often the CEO) is compromised or spoofed. Scammers will send an email from this account, generally targeting HR and/or payroll. In it they will request that the employee send them a file containing the W-2 forms of some, or all your staff. Typically, the scammer will position the email as an “urgent need.” If the recipient of this phishing attempt fulfills the request, the crook will use your employees’ W-2 forms to commit tax fraud and claim refunds on their behalf.

While this form of phishing may seem obvious to spot, it has been alarmingly effective for those who lurk in the shadows of the Dark Web. In 2017, nearly one in four organizations that reported receiving a W-2 phishing email acknowledged they had fallen for the scam.

Wanting to be responsive to a company executive’s request is a normal employee response, which makes it understandable how so many are duped. As organizations have become more agile in recent years, many have noted that fixed jobs are coming to an end. More people have their hands in various aspects of the business, with access to more information. This has made companies increasingly susceptible to phishing attacks as cybercriminals can take a shotgun approach and target a wider range of employees.

The threat of cyberattacks is ever-present for companies of all sizes, in all industries. What matters is how you prepare your employees to identify phishing attempts. Consider these three tips:

  1. Start training during the onboarding process

Hackers and cybercriminals are brilliant at what they do, however alarming their tactics may be. They will research your company’s employees and go after those who have been newly hired or are junior level. Eager to please in their new job, these workers make for an easy target to respond to a BEC scam.

  1. Double-check the accuracy of the email address

Those who send malicious emails often do so by making a minor tweak that employees can easily overlook. Hover over the email address in the “From” bar to ensure the formatting is accurate. If you have any doubt, pull up an old email that you have received from the that person for comparison.

  1. Verify all requests for sensitive information

Email is not a secure method to transfer information because it could compromise company or employee data. If you receive a request and it seems real, always confirm with a phone call, text message, or quick in-person discussion. If it is legitimately a colleague who’s asking for the information, be sure to talk to your IT team to encrypt the data before sending it.

Raising awareness and being vigilant are key, but ultimately it will be your employees who make the decision to respond to illicit emails or not. In today’s digital world, there is simply no way to defend against all fraudsters.

If the worst-case scenario does occur, and you are breached, there are tools to help protect the identity of your employees. One way to get ahead of a breach and minimize damage is through partnering with an identity monitoring service provider. In fact, the fastest-growing, progressive employer benefit that HR teams everywhere are implementing is Identity Protection Services (IDPS). By adding IDPS to your benefits stack, employees can rest easy knowing that their PII is being monitored 24/7. Such services can help prevent or, at minimum, deliver rapid restoration and recovery to restore your good name.

For Human Resources or Total Rewards professionals who might be considering offering identity protection, be sure to perform a thorough review of the options available to you. 

Beyond the obvious advantages of protecting employee and company intel, identity theft protection has been recognized by the IRS as a pre-tax benefit. Whether employer paid, or offered as a voluntary benefit, offering IDPS is appealing to current and prospective employees in today’s digital world.