As tax season begins, cyber crime targeting W-2 forms is on the rise. Criminals want W-2 forms so they can file fraudulent tax returns and cash the refund checks. Victims find out about these scams when they attempt to file their legitimate returns, only to be told that a return has already been filed.
The U.S. Justice Department, citing Internal Revenue Service data from 2013, reported that 5 million tax returns were filed fraudulently, seeking $30 billion in refunds. Cases of this fraud are believed to be much higher today, leaving victims to wait out a lengthy process of reconciliation before they can get the tax refunds they deserve.
Anyone who issues or distributes W-2 forms needs to take exceptional care with them. Because they contain Social Security numbers and personally identifying information, they are considered protected personal information under state laws.
How to Protect and Safely Distribute W-2 Forms
Criminals attempt to steal W-2 forms in two ways: online and in person. In-person theft simply involves stealing W-2 forms from someone’s mailbox. Criminals know when to look, but they may not know what they are looking for.
You can prevent mailbox theft by distributing W-2 forms online, or by handing them to employees in the office. If you must mail W-2 forms, it is best to do so in a plain envelope with a handwritten return address that looks like a personal letter. Avoid envelopes that look corporate, and absolutely avoid windowed envelopes that show the form or that have printed messages stating that a W-2 is inside.
If you distribute W-2 forms electronically or provide self service for your employees, follow these tips:
- Give employees a link instead of emailing a W-2 form. Most payroll providers include password-protected individual employee accounts as part of their service. Take advantage of these so that employees have to download their forms, rather than sending them via email.
- If you must email, be sure the email is encrypted. This prevents thieves from capturing the documents in transit. Send W-2 forms only to employee email accounts that you manage, not third-party accounts or free email services that are more easily compromised.
- Encourage employees to file early. Early filing is the best defense against a fraudulent claim, and criminals tend to file very early in the season.
- Beware of phishing and social engineering scams. Criminals may attempt to harvest W-2 forms by pretending to be accountants, representatives of online filing services such as TurboTax or state or Federal tax agents. Remember that no one will ever contact you by phone, email or text with a legitimate request for someone’s tax documents.
- Warn employees of tax season scams. Send a reminder email that no one from the company and no legitimate government agent will ever contact them to ask for a copy of a W-2, and advise them to be careful responding to requests from trusted contacts, such as their own lawyers and accountants. Follow one simple rule whenever you receive a request for personal information: Call to verify.
Many employees and a large number of business professionals are unaware of the growing number of scams targeting tax documents. These forms contain one of the most valuable pieces of personal information: an individual’s Social Security number. If an attempt to steal employee tax forms from an organization succeeds, it must be treated as a data breach and reported to law enforcement. Employees will need to inform the Social Security Administration of the compromise as well.
W-2 theft is another aspect of phishing and social engineering that businesses can fight with cyber security awareness training. Our CSI Protection Certification succeeds where other programs fail by tapping into the personal desire employees have to keep their own data safe and showing them how those instincts apply in workplace situations. Contact us online to learn more or call us at 1-800-658-8311.