- Your employees and contractors are busy gathering documents, preparing to get their returns ready.
- How many emails or calls does your team typically get asking to resend a W-2 or 1099?
- Scammers highly covet that data, so it’s time to do a policy checkup.
About this time every year, criminals see an opportunity for a major windfall. Businesses were responsible for getting their employees and contractors a variety of state and federal tax documents by the end of January. And now, many of them are gathering this information as they prepare to file their taxes.
These documents are a goldmine for criminals, so take extra care to protect them even as you’re likely getting requests for the information.
There are some specific fraud avenues to watch for, mostly targeting the finance organization. Generally, criminals want W-2s and 1099s, as well as related information. With this data, they can file false tax returns in an attempt to get refunds that belong to your employees and contractors.
Many will read this and think, “Our company would never give this information to a criminal. They’d have to break into our systems.”
If you did in fact think that, you would be among thousands of finance pros who are unfortunately proven wrong every year. Criminals regularly trick employees into willingly sending them sensitive information. A common ploy around this time is to email the HR department and simply ask for the forms. They may impersonate a trusted colleague whose name they found on LinkedIn or got by calling your company and asking, “Who would be responsible for W-2 information being sent from the payroll department?”
Once they have the appropriate contact, they send that person an email claiming to be an employee or manager and saying that they need the information sent to someone new or resent to a different address.
In variations of the scam, they might claim to be from your accounting firm. Heck, they might even target your accounting firm directly. They might call instead of emailing. If they do email, they may first break into the accounts of legitimate parties and make the request from an internal or otherwise trusted address.
This sort of targeted attack is called “spear phishing,” and it works. The city of Quincy, Mass., just lost $3.5 million from its pension fund when an investment manager made the transfer after receiving instructions in an email from a hacked email account. The board did not even uncover the fraud until months later.
As you can see, it’s not easy to stop these attacks. It can be done, however, through a combination of technical and operational controls.
To Protect the Jewels, Have Some Rules
From an operational perspective, the first thing I recommend is that you evaluate your company’s procedures governing the release of specific classes of information.
Yes, security awareness training to make employees cognizant of threats is important. However, first make sure that you have policies governing behavior. You don’t want people winging it when it comes to sensitive data.
Documentation Key to Payouts
Written policies aren’t just a best practice for protecting data from scammers. They’re required if you plan to purchase cybersecurity insurance and hope to be covered in case of a successful breach. Learn more about cybersecurity insurance.
Build procedures based on best practices. For example, W-2 and similar information is just one form of PII (personally identifiable information). There are legal repercussions for the release of such information. For that reason, establish rules that govern the release of all PII.
At minimum, write down:
- Who is authorized to email this information to individuals both within and outside of the organization.
- How the decision to release such information is made. For example, you might define that the actual release of PII, in any form, is required to be performed by the head of HR or the CFO.
- What secondary approval is required. I recommend the general counsel, but the key is to slow down the process and have some checks and balances in place.
A low-level HR or accounting clerk should not be the front-line defense against a highly skilled and persuasive criminal.
Next, reemphasize or implement awareness training to help employees understand the threat. However, the primary message should be that your PII release procedure is non-negotiable, and all requests must be forwarded to the proper person.
Awareness should be about how to do things right, not what to be afraid of.
From a technical perspective, work with your security and IT teams to ensure that appropriate compensating controls are in place.
Anti-phishing measures are key here. Finance leads should ask what protects their teams against spoofing emails asking for PII or other data. For example, you can set your email system to put tags on messages that originate from an external email account. The Cybersecurity and Infrastructure Security Agency offers more advice.
Ask about data loss prevention (DLP) software that scans outgoing email messages for sensitive information. These systems look at text, images, Microsoft Word docs, PDFs and other files and can block the release of any message that contains, for example, Social Security numbers or your customer database. So, if one of your employees does fall for a scammer, the data release would be blocked on the email server. If the request is legit, the message can be released after there is a verification.
Unfortunately, your well-meaning finance employees are the primary targets for tax fraud — and plenty of other — scams. People sometimes make mistakes; your job is to make sure that an error doesn’t cost your company, employees or contractors big.
Ira Winkler, CISSP, is chief security architect for a Fortune 10 company and author of books including “You Can Stop Stupid,” “Corporate Espionage” and the bestselling “Through the Eyes of the Enemy.” He is in the Information Systems Security Association Hall of Fame, and CSO Magazine named him a CSO Compass Award winner. Ira writes for a number of industry publications and has been a keynote speaker at major information security events.
Ira began his career at the National Security Agency and went on to serve as president of the Internet Security Advisors Group, chief security strategist at HP Consulting and director of technology of the National Computer Security Association. He was also on the faculties of Johns Hopkins University and the University of Maryland.