Business Insider

You’ll lose a lot more than cash in the W-2 scam

A beet flume at Amalgamated Sugar Co.’s Nampa plant. plant to your table. What has become known as the W-2 email phishing scam snared the company in late February, putting employees’ Social Security numbers and other private information at risk. “This is one of the most dangerous email phishing scams we’ve seen in a long time,” says IRS Commissioner John Koskinen.
A beet flume at Amalgamated Sugar Co.’s Nampa plant. plant to your table. What has become known as the W-2 email phishing scam snared the company in late February, putting employees’ Social Security numbers and other private information at risk. “This is one of the most dangerous email phishing scams we’ve seen in a long time,” says IRS Commissioner John Koskinen. Idaho Statesman

Is your business ready to lose tens of thousands of dollars today?

Thieves have figured out a way to make it happen, and they use you, the business owner, your managers and your employees to do it.

Countless real-life examples tell the story of the W-2 email phishing scam.

It starts like this: In a moment of weakness, a company’s owner, CEO or other executive opens an email he thinks is from someone he knows. The email says an important document must be reviewed immediately. The executive follows instructions to view the document in the cloud by entering his email account’s username and password.

The executive doesn’t see the promised document. Embarrassed, he thinks, “I knew better than to click on that link. I’m glad I have antivirus on my computer and no one saw what I just did.” He goes on with his day.

But the damage is done. A thief set up that fake login page just to capture data. Now the thief goes to work. He logs into the executive’s email and starts reading messages, looking for other employees. He says to himself, “I need accounts payable, human resources…” He starts impersonating the executive and sends email messages.

With a legitimate-sounding reason, he tells HR to send employee W-2 forms for review. The thief can use the forms to file fraudulent tax returns. In a new twist, the thief follows up with an email to payroll or the comptroller asking for a wire transfer to an account.

Employees usually do what an executive tells them. And right there, in one day, you’ve lost tens of thousands of dollars.

You’ve also given up critical information about your employees, and their trust. That loss cannot be quantified.

Executives cannot be too careful with their email accounts. Set up two-factor authentication. Never click on links or open attachments unless you know for certain who sent the email and what it contains.

Set up protocols and systems for W-2 handling and bill payment. W-2s should never be emailed. Financial information should not be shared electronically without encryption.

Talk about and train people on digital security at least monthly.

Keep the cash in your account — and out of the hands of thieves.

Dale Dixon is chief innovation officer of the Better Business Bureau Northwest. 342-4649, dale.dixon@thebbb.org

  Comments