Last year, the IRS saw an unprecedented number of companies of all sizes fall victim to a W-2 spear phishing scam. It goes like this: a “spoofing” email that appeared to have been sent by a company’s CEO or CFO (or a similar senior officer) to one or more employees in the human resources or payroll department. The email typically requested that all of the company’s employees’ W-2s be sent. This can be requested via PDF format, uploaded to a file sharing site, or even fax.
Unbeknownst to the human resources or payroll department employees, the email did not come from the CEO or CFO but a criminal who had conducted some research to, at the very least, identify the names and email addresses of the CEO or CFO as well as the targeted human resources or payroll department employees.
To avoid this type of scam, Better Business Bureau offers the following the advice:
- Confirm email requests by phone. If an email is requesting wire transfers of company funds or sensitive documents, it’s best to confirm the request by phone. In some cases, victims reported that the CEO’s email account had been hacked and the requests were coming from inside the company’s system.
- Strengthen passwords. At a minimum, passwords should be eight characters long, contain upper and lower case letters, numbers and symbols.
- Develop policies for handling money or sensitive data. Policies should be consistent and up-to-date with the latest advances in technology. Make sure all employees are trained on the policies.
- Keep lines of communication open. This type of scam only works if subordinates don’t feel comfortable questioning the boss or the CEO.
- Inspect the email. Look to see who exactly the email is from as scammers will sometimes use an email address that looks similar to one your company uses. See if there are any attachments or hyperlinks that don’t exactly make sense in relation to the email. Also, check the content of the email. Is the sender asking something that’s out of the ordinary or would have negative consequences?