A Digital Defense Against W-2 Theft

The FBI gives basic steps to mitigate the threat of W-2 theft.

• By Sydny Shepard
• Mar 08, 2018

It is "prime time," about a month before April's tax filing deadline, for cybercriminals and scam artists looking to cash in on your personal tax information. The FBI has recently issued an updated warning for businesses and employees to be on the watch for W-2 theft.

If a cybercriminal gets ahold of your W-2, he or she has the ability to file your tax return, and get your refund, before you do. There is also a great deal of personally identifiable information, including your Social Security Number, that could lead to numerous other problems for a victim.

The FBI says the most common way a scam artist could get your W-2 information is through a phishing scheme. The hacker, pretending to be an executive at the company, sends an email to the HR department and asks for employee's personal information or their W-2's, perhaps for tax or audit purposes. In some cases, hackers have been able to cause a massive data dump affecting thousands of employees.

So, how can you strengthen your company to ensure this doesn't happen and the data of your employees is protected? The FBI's Internet Crime Complaint Center has put together some basic steps that businesses can take to mitigate the threat:

• Limit the number of people who have access to employees' person information and W-2's.
• Set up two-factor verification system to confirm the request and receipt of such sensitive information.
• Establish protocols for sensitive information requests ahead of time and outside the email environment.
• Ensure that you secure sensitive PII and W-2 information with encryption.
• Establish and maintain robust and strong security for your data, including firewalls, virus protection and spam filters.

"Businesses that have suffered a data breach involving tax information should immediately report that breach to the IRS and your state tax agency," the FBI said. "The IRS also wants to hear from you if you received a W-2 phishing e-mail but did not fall victim to the scam."