Last year, your business had until Feb. 28 to submit paper W-2s to the Social Security Administration and until March 31 for electronic W-2s. That cushion of time disappears this year. In 2017, the deadline for filing both paper and electronic W-2s with the SSA is the same date they’re due in employees’ hands: Jan. 31.
The deadline change is just one of the tactics the federal government is using this year to try to reduce tax- and wage-related identity theft and fraud. The lapse between employees receiving their W-2s and the SSA getting the forms created a window of opportunity for fraudsters to capture form information and file fraudulent tax returns. The IRS is also cracking down on tax- and wage-related fraud by taking a closer look at returns filed with earned income tax credit and additional child tax credit — a move that could delay refund checks for 40 million working poor families, NBC reported.
Phishing for W-2s
Tax- and wage-related fraud has been growing. Tax or wage identity theft complaints constituted 45 percent of all identity theft complaints reported to the Federal Trade Commission in 2015. The data breaches that lead to tax- and wage-related fraud often occur through employers — or, more accurately, the actions of well-meaning employees who fall victim to phishing schemes.
Phishing has proven particularly effective for cybercriminals attempting to steal W-2s and the wealth of information they contain. The scenario is simple: An employee with access to W-2 data receives an email purporting to be from a company leader — the CFO, CEO, owner, etc. The email directs the employee to send proprietary data, typically W-2s. Because no one wants to rock the boat, question the boss and potentially get in trouble, the recipient responds by sending the requested data — only to learn later that the executive they thought the request came from didn’t actually send the email.
Once cybercrooks have the W-2s, they can use the data to file fraudulent tax returns. Consumers whose information has been breached in this way might not learn of the fraud until they file their own tax returns and the IRS notifies them it has already received their return and issued a refund.
During the 2015 tax season, Experian Data Breach Resolution handled more than 70 W-2 schemes per week, and many of them started with successful phishing attacks. In fact, phishing, hacking and malware attacks accounted for 31 percent of cybersecurity incidents in 2015, according to a study by law firm BakerHostetler.
The first line of defense
The federal government’s efforts to stem the tide are important, but employers remain the first line of defense, especially against phishing attacks. Unfortunately, research by the Ponemon Institute tells us that just 49 percent of organizations include phishing and social engineering attacks in their employee security trainings.
As your organization navigates through the 2016 tax filing season, it’s critical to take steps to prevent theft of employee data, including:
- Train employees to recognize the signs of a phishing attack and how to respond when one occurs.
- Establish and/or reinforce protocols on what types of information should never be transmitted via email, such as Social Security numbers, home addresses and phone numbers.
- Limit who has access to PII. This can reduce the number of potential targets for a phishing attack.
- Require verification for data requests that deal with W-2s and PII, even if the request appears to come from the executive level of the organization. Don’t penalize employees who request verification.
- Do reward employees who follow security protocols, especially if their efforts result in the discovery and blocking of a security threat.
Legal Notice: The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.