W-2 Cyber Criminals are Going Phishing


July 2017—

9 ways to make sure they come up empty handed at your store

By John Farley and Emily Selck


Tax season may have just ended, but retailers should know cyber criminals never take a break. In fact, those very same criminals are always looking for more ways to cash in on your employees’ personal data for profit.

As one of the fastest growing social engineering scams on the market today, hackers pose as a company CEO or key executive via email, requesting copies of employee tax forms. Once they’ve garnered the complete set of W-2s, they quickly turn it into cash by selling it on the black market, selling off individual pieces of employee identity (social security numbers, employer IDs, addresses) and more commonly, filing taxes and pocketing refunds.

Known as W-2 phishing, this scam has trapped a surprisingly growing number of small- to medium-sized retailers in the last few tax seasons who unknowingly forward the hacker their organization’s fleet of W-2 forms. Last tax season, the IRS saw a 400 percent surge in W-2 phishing and malware incidents, and in 2015, the Federal Trade Commission reported that tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints.

The good news is these nine steps can help you prevent W-2 phishing and other tax fraud:

  1. Institute multi-step verification. The FBI urges businesses to adopt a two-step or dual-factor authentication process for financial and sensitive employee data requests. This could mean requiring two separate email requests or an email followed by a live phone call before W-2s are sent out.
  2. Train employees to recognize phishing scams. While an email may look like it came from the store owner who’s on vacation or their accountant who lives in another city, phishing emails are typically “off.” When it comes to the boss’ address, for example, one letter may be different, a lowercase “l” replaced by an “i,” etc.
  3. Establish an avenue for reporting. Even when an employee recognizes the email as phishing, they often don’t know how to report it, so they just delete it all together. Establish a dedicated email address that goes to the boss or the IT department where employees can report a phishing email.
  4. Avoid too much exposure. If you’re the store owner, you obviously have to post your name on your website, but keep it to a minimum—especially email addresses. Be mindful of the names and email addresses you post. The more information on your website or social media pages, the more information you could unknowingly be feeding fraudsters. That’s just the kind of information they’re looking for to set up a social engineering scam.
  5. Keep employees on their toes. Send out regular reminders before and during tax season and limit the number of staff members who have access to sensitive information, like W-2 forms, and/or under what circumstances they can share them.
  6. Know your vendors. Because many retailers outsource their W-2s and other sensitive employee information to a W-2 clearinghouse or compliance management company, it’s important to review your vendor contracts to determine what rights you have for indemnification or recovery of information should a third party be the cause of your data breach. Often vendor agreements include a hold harmless clause or limit their liability to the cost of your contract, should your information be breached on their clock.
  7. File early. Urge employees to file their taxes early. The earlier they are filed, the less likely a hacker is to file on their behalf successfully.
  8. Be proactive. If you suspect your W-2s have been stolen, notify the IRS so they can put a red flag on affected accounts. We put off a lot in our retail businesses. Don’t delay on this one. A red flag will prevent a fraudster from filing a tax return in the employee’s name. Additionally, some companies are doing proactive searches on the dark web to see if any of their employee or customer information is out there currently.
  9. Be prepared. In case this should happen to your furniture store, make sure you’re covered with a cyber-insurance policy. Cyber insurance covers the expense of hiring experts to defend and get you up and running, and for lost income due to service outages. None of this is covered by commercial general liability or business operator policies.

The ensuing loss of time and exorbitant costs and reputation repercussions for small businesses and individuals alike from this fraud can be devastating. Businesses must respond to the data breach by hiring a privacy attorney, notifying affected employees and complying with state requirements based on where their employees reside. Individuals will have to iron out the details with the IRS, which could take several years to unravel. Can your store afford this?


John Farley, vice president and cyber risk practice leader at Hub International, has 23 years of experience in insurance and risk management.
Emily Selck is the cyber liability practice leader for Hub International.

RetailerNOW is changing.

Insights Magazine will be replacing RetailerNOW as the official publication of the Home Furnishings Association. With this change, you will be able to find the same great content on the HFA website. All current members/subscribers will automatically receive the new print editions. You can continue to view content on this website until January 2020.