Is your business ready to lose tens of thousands of dollars today?
Thieves have figured out a way to make it happen, and they use you, the business owner, your managers and your employees to do it.
Countless real-life examples tell the story of the W-2 email phishing scam.
It starts like this: In a moment of weakness, a company’s owner, CEO or other executive opens an email he thinks is from someone he knows. The email says an important document must be reviewed immediately. The executive follows instructions to view the document in the cloud by entering his email account’s username and password.
Sign Up and Save
Get six months of free digital access to The Idaho Statesman
The executive doesn’t see the promised document. Embarrassed, he thinks, “I knew better than to click on that link. I’m glad I have antivirus on my computer and no one saw what I just did.” He goes on with his day.
But the damage is done. A thief set up that fake login page just to capture data. Now the thief goes to work. He logs into the executive’s email and starts reading messages, looking for other employees. He says to himself, “I need accounts payable, human resources…” He starts impersonating the executive and sends email messages.
With a legitimate-sounding reason, he tells HR to send employee W-2 forms for review. The thief can use the forms to file fraudulent tax returns. In a new twist, the thief follows up with an email to payroll or the comptroller asking for a wire transfer to an account.
Employees usually do what an executive tells them. And right there, in one day, you’ve lost tens of thousands of dollars.
You’ve also given up critical information about your employees, and their trust. That loss cannot be quantified.
Executives cannot be too careful with their email accounts. Set up two-factor authentication. Never click on links or open attachments unless you know for certain who sent the email and what it contains.
Set up protocols and systems for W-2 handling and bill payment. W-2s should never be emailed. Financial information should not be shared electronically without encryption.
Talk about and train people on digital security at least monthly.
Keep the cash in your account — and out of the hands of thieves.