FBI Portland
Portland Media Office
(503) 460-8060
March 6, 2018

FBI Tech Tuesday—Building a Digital Defense Against W-2 Theft

Welcome to the Oregon FBI’s Tech Tuesday segment. This week, building a digital defense against W-2 fraud.

We are still a good month away from April’s tax filing deadline—but this is prime time for scam artists looking to cash in on your personal tax information. The FBI’s Internet Crime Complaint Center recently issued an updated warning for businesses and employees to be on the watch for W-2 theft. If a cyber thief gets ahold of your W-2, he now has the ability to file your tax return -- and get your refund -- before you do. He also has access to a great deal of personally identifiable information including your Social Security number... and that can lead to a whole host of other frauds.

The most common way a scam artist gets your W-2 is through a phishing scheme—that’s phishing with a “ph." He pretends to be an executive at the company and sends an e-mail to the HR department requesting employees' personal information or their W-2’s, allegedly for tax or audit purposes. In some cases, the fraudsters have been able to cause a massive data dump affecting thousands of employees.

Sometimes these requests for data are followed by or combined with a more traditional business-e-mail-compromise scheme where the fraudster convinces the finance department to also make unauthorized wire transfers under the executive’s spoofed authority.

Here are some basic steps that businesses can take to mitigate the threat:

  • Limit the number of people who have access to employees' personal info and W-2’s.
  • Set up two-factor verification systems to confirm the request and receipt of such sensitive information. This could be as simple as a phone call or a face-to-face meeting.
  • Establish protocols for sensitive information requests ahead of time and outside of the e-mail environment. You don't want a hacker who already has access to your system to know what your back-up security measures include.
  • Ensure that you secure sensitive PII and W-2 information with encryption.
  • Establish and maintain robust and strong security for your data, including firewalls, virus protection and spam filters.

Businesses that have suffered a data breach involving tax information should immediately report that breach to the IRS and your state tax agency. The IRS also wants to hear from you if you received a W-2 phishing e-mail but did not fall victim to the scam.

If you have been victimized by this online scam or other cyber fraud, be sure to also report it to the FBI’s Internet Crime Complaint Center at ic3.gov or call your local FBI office.