As reported in Forbes, the Internal Revenue Service (IRS) issued an urgent alert to all employers warning that scammers are widening their form W-2 phishing net, targeting school districts, tribal organizations, and nonprofits. “Phishing,” is a type of cyber crime in which a hacker poses as a trusted source online to gain access or obtain sensitive information for financial gain. This form of cyber scam is extremely common and simple, putting your employees and business at risk, making awareness the best prevention.
How the Form W-2 Phishing Scam Works
The W-2 phishing scam also referred to as the business email compromise (BEC) or business email spoofing (BES), starts with a fake email request from a high-level corporate employee to a company's payroll or human resources department. The email asks for the W-2 forms along with the earnings summary of all W-2 employees. They may also ask for an updated list of employees' personal details including Social Security Numbers, home addresses, and salary information.
Scammers trick the payroll or hr departments to release data that is used to file fraudulent tax returns, resulting in ill-gotten tax refunds. The scammers are now taking their deceit even further, sending out a "follow up" email posing as an executive requesting the transfer of funds to a bank account to cover payroll and other expenses. Several companies have fallen victim to this ploy, handing over W-2 forms along with thousands of dollars to these thieves.
How to Protect Your Company from W-2 Scams
A report released by the Internet Crime Complaint Center (IC3) stated that there were over 120,000 cyber crime-related complaints against businesses last year, resulting in a loss of over $800 million.
Any organization is a potential target for this scam, and the IRS is urging employers to communicate the details with human resources, payroll, and finance employees to ensure they catch any fraudulent requests before its too late.
Social engineering frauds like the W-2 phishing scam are a form of cyber fraud which special insurance policies can cover. Without a cyber or privacy insurance protection, your business would be responsible for covering all costs resulting from the data breach, including fines, penalties and credit monitoring for individuals impacted by the scam. The cost of notification and credit monitoring can range from $100-$250 per individual and can quickly become a large, unplanned expense.
Additionally, dependent on state privacy laws, companies have to file a situation notification and cover all penalties and fines which may be imposed for releasing employee information. This scam highlights the importance for businesses and organizations to have the right cyber and privacy security measures in place to deter and protect themselves if they are duped.
Risk management planning is a critical part of your company's defense against phishing scammers. A solid plan should include a process that will enable you to respond quickly and appropriately. Additionally, your risk advisor should ensure you have cyber liability insurance coverage that fits the needs and relevant exposures of your business.
Cyber policies can cover the costs of credit monitoring, penalties, fines along with any money that was unintentionally given to the scammers. These coverages are additional to any commercial property and casualty policy and are customized for your business to address realistic exposures.
Many cyber policies are a part of a larger, management liability or commercial property and casualty risk management program. Computer fraud and cyber liability insurance are tailored to address and protect you from the risks which accompany modern technology in the business world.
Your Britton Gallagher risk advisor can work with you to implement the right cyber liability and computer fraud insurance based on your unique operations.