Business Columns & Blogs

Boise sugar company’s data breach is a reminder to protect your identity

An employee in the packaging area of Amalgamated Sugar Co.’s Nampa plant in 2014. What has become known as the W-2 email phishing scam snared the company in late February, putting employees’ Social Security numbers and other private information at risk. “This is one of the most dangerous email phishing scams we’ve seen in a long time,” says IRS Commissioner John Koskinen.
An employee in the packaging area of Amalgamated Sugar Co.’s Nampa plant in 2014. What has become known as the W-2 email phishing scam snared the company in late February, putting employees’ Social Security numbers and other private information at risk. “This is one of the most dangerous email phishing scams we’ve seen in a long time,” says IRS Commissioner John Koskinen. Idaho Statesman

Nearly 3,000 Idahoans’ identities are at risk after a scammer persuaded an employee to give up tax information at the Boise-based Amalgamated Sugar Co. in late February.

The breach appears to be a version of the “CEO impersonation scam,” where con artists use spoofing techniques to make an email appear to be from a senior-level executive. The email goes to someone in human resources or payroll and asks the employee to send a list of all employees and their W-2 forms.

Wanting to please the boss, the employee complies. In fact, the employee is giving every employee’s personal information to criminals.

The Internal Revenue Service says this scam is spreading to more organizations this year than last. This scam is particularly devastating because W-2 forms contain so much sensitive information, including the all-important Social Security number. Scammers can use it to file false tax returns to obtain refunds.

Your Social Security number is the most valuable piece of your personal financial information. It is your main identifying number for employment, tax reporting, and credit-history tracking. A thief could use it to gain employment, open credit-card accounts or obtain loans under your name.

To protect it, don’t carry your Social Security card in your wallet, and provide it only when absolutely necessary. If a business asks for your SSN, ask how it will be used and how the busines plans to protect it. Often the business does not need it at all.

But, as Amalgamated’s experience shows, even the best personal safeguards can’t guarantee your Social Security number won’t be exposed.

What should you do if you think you are a victim of identity theft?

▪  File a report with your local police or the police in the community where the identity theft took place. This starts a paper trail on your road to recovery. Keep a copy of the police report and make note of the date of your report, in case your bank, credit-card company or other company needs proof of the crime.

▪  Place a fraud alert. Contact the credit-reporting bureaus, Experian, Transunion, and Equifax, and let them know you suspect your identity has been stolen. This will make it more difficult for thieves to use your information.

▪  Check your credit. Each credit reporting bureau is required to give you a free look at your credit once a year. You can do this at no cost at annualcreditreport.com. Access this site from a secure connection, not public WiFi, as you will have to enter your Social Security number. Note that you do not have to enter payment information. If you are asked for a card, double check that you are on the correct website.

There are a number of steps and safeguards to consider, and the Federal Trade Commission provides a thorough guide for additional information.

Emily Valla, emily.valla@thebbb.org, is the Idaho marketplace director for the Better Business Bureau Northwest. To check a business or report a scam, go to www.bbb.org or call (208) 342-4649.

  Comments