Free Enterprise - The FindLaw Small Business Law Blog

W-2 Phishing Scams Target Small Businesses

While small businesses always need to be alert for hackers and other security threats, tax season always seems to be especially popular for phishing scams. Perhaps it's our eagerness to put the work behind us or get it done quickly, but small business owners can be especially vulnerable to scammers trying to get access to personal employee information regarding tax filings.

Take, for instance, a recent W-2 phishing scam uncovered by cybersecurity analysts Barracuda -- attackers are using multiple techniques to trick small business owners and employees into sending the employee W-2 forms, which can include an employee's name, social security number, and other identifying information. Here's how to keep your small business safe.

Hook, Line, and Sinker

As identified by Barracuda, the W-2 phishing scam involves cyber criminals using fake email accounts to impersonate a "manager, senior level executive, or whoever in your company would need access to the W-2":

Cyber criminals will use their fake account to suddenly send the HR department or person handling W-2's an email urgently requesting a copy of someone's W-2.
This particular scam focuses on creating a sense of authority through the fake email account and a sense of urgency in the sudden request for the documents. Since the email seems to be coming from a person of power and this person seems to be asking for the information out of urgent need -- the victim is likely to comply.

Because the fake email accounts are designed to closely match real ones and employees are generally inundated with dozens of emails per day, they are more likely to respond with the W-2. And, given the personal information contained in the document, scammers sell it or use it to impersonate an employee or steal their identity.

Avoid the Bait

The best way to avoid phishing attacks in general and the W-2 scam specifically is to properly train all of your staff on the importance of cybersecurity and how to spot suspicious emails. As Barracuda notes, you can also configure your company's email security to create outbound filters whereby sensitive documents like W-2 forms cannot transmitted to an outside domain via email.

And if your small business has already been the victim of a phishing attack, you should commit to a full virus scan on all of your internet-enabled systems, change all account logins, and contact credit reporting companies on behalf of the employees or customers whose personal information has been compromised. You may also want to consult with an experienced cybersecurity attorney.

Related Resources: