Phishing attacks are extremely scary. Scammers are constantly getting better at creating fraudulent emails that look official, which leads to more victims.
The FBI is now warning Americans about a large increase in phishing emails targeting their W-2 forms. You should share this article with friends and family so they know what to look for.
Is your Social Security number at risk of being exposed?
Cybercriminals are using various spoofing techniques to make fake emails appear to be from an executive within an organization. The phishing email is being sent to employees in payroll or HR asking for a list of all employees and their W-2 forms.
If an employee gives the scammer your W-2 form, there are many possible horrible outcomes. The criminal will have your personal data, including Social Security number, which can lead to identity theft. Also, they could attempt to file a fraudulent tax return in your name.
The IRS said 200 businesses, Native American governments, public schools, universities and nonprofit agencies fell victim to these scams during this year's tax filing season. In 2016 that number was 50.
The IRS is urging all employers to warn their payroll, finance and human resources departments about these scams. They are also suggesting companies create an internal policy on the distribution of employee W-2 information as well as conducting wire transfers.
What you need to do
The IRS is providing steps that both employers and employees need to take if impacted by the W-2 scam.
Steps for organizations:
- Organizations that receive a W-2 scam email should forward it to email@example.com and place "W2 Scam" in the subject line.
- Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3). It's operated by the FBI.
Steps for employees:
- Employees whose W-2 forms have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
- Employees should file a Form 14039, Identity Theft Affidavit, if the employee's own tax return is rejected because of a duplicate Social Security number or if instructed to do so by the IRS.
These latest scams are variations of others that have appeared in the past, focusing on large-scale thefts of sensitive tax information. Individual taxpayers can also be targeted with these types of phishing scams.
The IRS said taxpayers should not use search engines to find technical help with taxes or tax software. Selecting the wrong link could lead to a loss of data or an infected computer.
How to protect against phishing attacks:
- Be cautious with links - If you get an email or notification that you find suspicious, don't click on its links. It could be a phishing attack. It's always better to type a website's address directly into a browser than clicking on a link.
- Do NOT enable macros - You should never download PDF, Word or Excel files attached to unsolicited emails to begin with. If you do open one of these documents and it says that you need to turn on macros, close the file and delete it immediately.
- Watch for typos - Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.
- Use unique passwords - Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it's simple for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.
- Set up two-factor authentication - Two-factor authentication, also known as two-step verification, means that to log in to your account, you need two ways to prove you are who you say you are. It's like the DMV or bank asking for two forms of ID. Click here to learn how to set up two-factor authentication.
- Check your online accounts - The site Have I Been Pwned allows you to check if your email address has been compromised in a data breach.
- Have strong security software - Having strong protection on your gadgets is very important. The best defense against digital threats is strong security software.