It's tax time, and that means fraudsters are once again using phishing and deception to trick those who have access to staff member's W-2 tax forms into turning them over.
The tax forms are a treasure trove of information, including employees' names, addresses, Social Security numbers and wages, that can be used to commit fraud, such as filing fake tax returns to obtain a refund.
Among the organizations that have recently fallen victim to phishing scams involving the inappropriate release of W-2 data are Campbell County Health of Gillette, Wy., and eHealth Inc., an online health insurance exchange based in Mountain View, Calif.
These type of scams, which pop up at the start of every year, point to the need to enforce corporate policies against sharing W-2s and other sensitive personal information via unencrypted email under any circumstances and to educate all employees to be on the lookout for fraudulent requests for information.
In a Jan. 25 statement, Campbell County Health, which operates a 90-bed acute care community hospital and other facilities, acknowledges that it was the victim of a "security incident" that may affect some of their employees' personal information.
"Currently, it appears that an unauthorized individual, impersonating a CCH executive, contacted an employee requesting W-2 information for all of our employees who had taxable earnings in calendar year 2016," says Andy Fitzgerald, CCH CEO. "Unfortunately, before it was determined that the request was fraudulent, the employee provided these files."
"CCH has contacted local law enforcement and a cybersecurity response team, both of which are actively working to identify the fraudulent party and help the organization take all necessary actions to protect their employees," Fitzgerald says.
The county healthcare provider says it has informed its employees of the steps that they can take to guard against fraud or identity theft, such as monitoring their bank accounts, credit cards, tax returns and other personal or financial information, as well as contacting major credit bureaus. CCH also says it will offer its employees free identity protection services.
"We take this matter and the security of personal information very seriously at CCH, and we will continue to review and enhance our security practices to further secure our systems," Fitzgerald says in the statement.
CCH did not immediately respond to an Information Security Media Group request for comment on the incident. But a local news outlet, the Gillette News Record, reports the breach affected about 1,400 CCH employees.
Meanwhile, a sample data breach notification from eHealth posted by the California attorney general's office indicates one of its employees also fell for a similar trick on Jan. 20.
The notice says an eHealth employee received a phishing email that the individual thought was "a legitimate email" from a company executive. Before the company discovered that the request was made from a fraudulent email account, the employee had already sent copies of eHealth employees' W-2 tax forms.
The notice does not indicate how many eHealth employees were impacted, and eHealth did not immediately respond to an ISMG request for information. The company is offering affected employees free credit and identity monitoring services for 24 months.
Mac McMillan, CEO of the security consulting firm CynergisTek, says phishing schemes involving W-2s are just the tip of the iceberg when it comes to tax season scams.
"These are not new attacks. They unfortunately happen every year prior to tax time," McMillan says. "Worse yet - tax fraud from fraudulently filed returns accounts of several billion dollars in losses every year, and a considerable amount of inconvenience and in some cases financial stress for victims."
To help combat these kinds of phishing scams, "one simple thing they can do is remind their financial staffs and their employees that these types of events occur every year and not to fall prey to them," McMillan says. "Remind them that the CEO will never request this type of information from them in an email, and they should not respond to such a request without first verifying its authenticity. Awareness is key."
Privacy and security expert Kate Borten, president and founder of the consultancy The Marblehead Group, says organizations need to adopt clear-cut policies on what types of information cannot be transmitted, under any circumstances, via unencrypted email.
"There should be limitations on transmitting such data via email [that's] unencrypted," she says. "You can't blame it all on training if the underlying policies are inadequate."
McMillan says phishing email scams can be difficult to battle. "But with the right technology in place, the right filters enabled, they can be easier to spot," he notes.
"The user still needs to be alert to requests of this nature, though, and not just click on or answer requests, regardless of who they come from, to provide personal information. This particular scenario can be managed by having an iron clad rule in finance that says no matter who sends such a request, the information is not to be provided until specifically approved by a manager or the CFO, and the request is verified with the sender. That ensures that more than one person reviews the request and there is a higher likelihood it will be discovered as a fraud."
But when an employee does fall for these kinds of tax-related scams, it's important to take action as soon as the mistake is detected to help avoid further fraud, McMillan notes.
"The first step is to report it to law enforcement, the IRS and their finance office," he says. "Once alerted, steps can be taken to flag the persons' returns if not filed yet. If the scammer has already filed the return, steps can be taken to stop its processing.
"If, worst case, [the tax return] has already been filed and processed, they will still need to report it to begin the process of recovery. They will want to do this as soon as possible as it typically takes a while for these matters to be resolved."