2019 Update: New Phishing Scam Goes After Your W-2 Form


You can’t trust anyone these days. Just look at your email inbox for proof. How many solicitations do you get each day for offers that are too good to be true? How many requests to open suspicious attachments or visit unknown websites that could contain malware?

Phishing threats have evolved quite a bit from those days when self-proclaimed African royalty were asking your help to launder their money. Today’s cybercriminals are becoming smarter, more aggressive, and more successful, and their scams are costing CT businesses and their employees real money.

Watch the Free Cybersecurity Awareness Training Video


Your Tax Records at Risk

Early in 2016 a scam threatening many businesses in a sophisticated version of a W-2 phishing attack. During tax season of that year, the IRS issued a bulletin to all Connecticut businesses warning them about a scam that originated with larger corporations, but widened to target  organizations like schools, hospitals, restaurants—virtually anyone with a payroll.

In December 2018, the IRS issued a new warning for Connecticut businesses and employees to beware of a new scam in which criminals present themselves as company owners or high executives in  attempt to steal valuable tax and personal information. “They send an email pretending to be a company executive. The correspondence may begin with an innocuous, “Hey, you in today?” But by the end of the exchange, the impostor asks for a list of employees and their W-2 statements.”

The scam is simple, but the results can be devastating. Once records are released, they can be used for identity theft (because social security numbers are exposed), fraudulent tax returns or other purposes.

To make things worse, some cybercriminals also issue a second email requesting the comptroller or payroll manager to wire funds to a specific account, supposedly as part of payroll. The result can be a loss of thousands of dollars in addition to employees’ personal information.

According to an IRS estimate, in 2016 between $1.68 billion and $2.31 billion was paid out in refunds that may have been claimed as a result of identity theft.

How can Connecticut businesses protect themselves and their employees from sophisticated phishing scams like this one?

Unlike computer viruses that can be filtered out using software, you can’t keep people from being duped. Your best defense is awareness. Train your employees to be watchful for phony emails and create protocols to help them avoid taking the bait from these types of phishing emails.


Don’t Take the Bait

There are a number of telltale signs that can alert you that an incoming email is phony. Here are a few ways to tell if an incoming message is a fake:


1. Look for Typos or Odd Formatting

Although phishing emails are created to have the look and feel of a real company message, right down to the logo, crooks often make typographical or grammatical errors that you won’t see from a corporation. If there are errors in the message, be suspicious.


2. Check the Sending Email Address

Often an email will look like it comes from a legitimate source, but when you look past the sender’s name, the email address may tell you it’s from someone else. Watch for unknown email addresses, especially from public email systems such as Gmail or Yahoo and from foreign countries (e.g. email addresses ending in .ru, for Russia; .cz, for Czechoslovakia; or .ro, for Romania).


3. Urgent Action Required

Any email requesting an immediate response is likely a phishing email.

If you know what to look for and develop best practices for employees, you can minimize risk from phishing attacks. Here are just a few safety tips to consider:


A. Never Provide Personal Information in an Email

Any email request that asks for personal information, such as an account number or Social Security number, is suspect. Never send personal information over email, even if you think you know the party sending the request. Email accounts are routinely co-opted and used to send phishing messages, so you are never sure who is on the receiving end.


B. Never Click on an Embedded Email Link

Common phishing attacks look like messages from your bank or other financial service with a link to the website. The link may be directed to a phony website designed to capture personal information or deliver malware. Rather than clicking on the email link, open your browser and type in the link directly. Do not cut and paste.


C. Do Not Open Unknown Email Attachments

Businesses routinely use email to send files between departments or employees, but if you see an attachment from an unknown source, be suspicious. It could contain malware.


D. Keep Your Log-In Credentials Secure

Be sure that employees are cautious with PINs and passwords. Don’t write them down and don’t keep using the same password. Also, be sure to change passwords regularly to reduce the risk of an attack using stolen credentials.


E. Pick Up the Phone And Verify

When in doubt pick up the phone and verify that the CEO’s email is legit.


Be Proactive in Protecting Personal Information

In addition to training employees to be on the lookout for phishing attacks, you also can take additional steps to protect your company from phishing attacks. Be sure to use anti-malware software and keep it up to date. Many anti-malware solutions are programmed to spot phony email addresses and malicious websites.

Third-party support can be invaluable in the fight against cyberattacks. Managed services providers can maintain anti-malware protection for you, including updating the software, filtering incoming email, and monitoring for malware and malicious content. A managed services provider also can help with timely system backups and disaster recovery, so if your business systems are infected, you can restore them with a clean backup.

You may not be able to protect your employees from every type of phishing attack, but you can substantially reduce risk. Be sure to train employees about secure email and contract with the right managed services partner to help head off cyberthreats. The more you educate your staff and take steps to protect personal information, the less likely you will be the victim of a phishing attack.


it grader ct small business

About The Author

President of NSI, Tom has been helping small and medium businesses succeed in Connecticut for over 25 years.