A BECattack involves attackers sending emails disguised as coming fromhigh-level executives within a company, such as the CEO, to lowerlevel personnel. (Image: Shutterstock)

The most likely cyber attack a company will face willcome in the form of an email. One of the most common forms of emailattack is the business email compromise (BEC), and the mostpopular time of the year for the W-2 version of BEC is right now —tax season.

A BEC attack involves attackers sending emails disguised ascoming from high-level executives within a company, such as theCEO, to lower level personnel. During tax season, the spoof email will often requestthat W-2s for employees be provided by return email.

Related: How to protect your employees from identity theftduring tax season

While the email looks identical to the executive's email, it iscoming from — and then returned to — the criminal, not theexecutive, along with the W-2s and the personal informationassociated with the documents.

If an employee falls for the scam, the company now hasexperienced a serious data breach and must comply with certain legalrequirements. Worse yet, the company's employees' sensitivepersonal information has been given to the attackers and they havethis problem to worry about instead of performing their job. Thedisruption is substantial in their personal lives and for thecompany's operations.

How do attackers use W-2 information?

In most cases, once the attackers have that W-2 information,they use it to attempt to file fraudulent tax returns for thoseemployees and have their tax refunds sent to them instead of theemployee. They also use it for traditional identity theft.

The attackers act very quickly once the information is obtained.In some cases they have begun to fraudulently use the informationon the same day they obtained the W-2 information from the company.Time is truly of the essence in responding to these attacks andlegal assistance is necessary for properly responding these databreach events.

Why do so many attacks happen during tax season?

Law enforcement officers and cybersecurity professionals reporta drastic increase in these types of attacks during the beginningof each year because of tax season. This is consistent with what isseen in helping companies with these cases in past years, as well.The reason this type of attack is so common during tax season isbecause of the tax-related fraud aspect of this type of attack.That is, the attackers monetize their attacks by using thefraudulently obtained information to file fraudulent tax returnsand obtain refunds from innocent victims.

And the sooner they can do this, the better their chances are ofgetting the refund before the taxpayer files and receives their taxrefund.

If a company has not yet been targeted, it is likely that itwill be very soon so it is important to be prepared.

What can you do to protect your company?

Educating employees is critical because they will be the oneswho receive the emails from the attackers.

• Make them aware of this issue by sharing the information inthis article with them so that they understand the threat, how itworks and how it could affect them personally.
• Train them by having appropriate personnel discuss this threatwith them and help them understand that they should be verysuspicious of any requests to email out anything of this nature (ormake payments, such as with the very similar wire transfer versionof the BEC).

Have appropriate internal controls in place to protect againstthese types of attacks. These controls can include:

• Limit who has access to your company's W-2s and other sensitiveinformation as well as who has the authority to submit or approvewire payments.
• Have established procedures in place for sending W-2information or other sensitive information as well as forsubmitting or approving wire payments so that dual approvals arerequired for these activities.
• Require employees to use an alternative means of confirming theidentity of the person making the request. If the request is byemail, the employee should talk to the requestor in-person or calland speak to the requestor using a known telephone number to getverbal confirmation. If the request is by telephone or fax (manytimes they are), then use email to confirm by using an emailaddress known to be correct to confirm with the purportedrequestor. Never reply to one of these emails or call using atelephone number that is provided in one of these emails, faxes, ortelephone calls.

What to do if you company is hit by an attack

• Immediately contact experienced legal counsel who understandshow to guide a company through these incidents and, ideally, hasappropriate contacts with law enforcement and the IRS to assist inreporting this incident quickly.
• Report the incident to the FBI or Secret Service andappropriate IRS investigators so that the IRS can implementappropriate procedures to protect the employees whose informationwas exposed in the W-2s.
• Prepare appropriate notifications to the people whoseinformation was exposed and comply with all legal and regulatoryreporting requirements. This should be a part of an existingincident response plan. Companies should have such a procedure inplace to be better prepared if and when a security breachoccurs.
• Inform employees that the IRS will never contact them directly,for the first time, via email, telephone, text message, socialmedia or any way other than through a written “snail mail”letter.

Shawn Tuma ([email protected])is a partner at Spencer Fane LLP in the firm's Dallas office. He helpsbusinesses protect their information and protect themselves fromtheir information, representing a wide range of clients, from smallto midsize companies to Fortune 100 companies, across the UnitedStates and globally in dealing with cybersecurity, data privacy,data breach and incident response, regulatory compliance, computerfraud related legal issues, and cyber-related litigation.

Read more: 

• Employers need to protect benefit plans againstcyberattacks
• 5 cyber threats that could impact yourbusiness
• Avoid becoming collateral damage in acyberattack