Accounting Personnel, Don’t Fall for this W-2 Scam

Tax season is nearly here, so it’s time to be on the alert for cyberattacks that target accounting office personnel. The IRS recently issued a warning that specifically mentions W-2 scams.

The last few years have seen a significant rise in this type of phishing scam that begins with an innocent-looking email. A cybercriminal poses as a company executive and emails someone in the accounting office with an urgent request to send them W-2 forms.

W-2 forms contain the sensitive and personal information of your employees, including name, address, social security numbers, income and withholding. Cybercriminals then use this information to commit identity theft and/or to file a tax return claiming a fraudulent refund.

If successful, the result of this scam is that your employees won’t get their tax refunds and they’ll have to enroll in an identity theft monitoring service. You can imagine how this would create some very unhappy employees.

Far worse than that, a successful W-2 scam means that your dealership has officially experienced a data breach. Costs related to remediation of a data breach can run into millions of dollars, depending on how many employees you have. Depending on your state’s consumer privacy laws, a data breach might also leave you open to potential lawsuits.

If you work in an accounting office or if you have authorization to access accounting information, be wary if you receive any emails asking for W-2 forms or any other type of form that contains sensitive information.

These “spoof” emails look like they come from the dealer principal, general manager or another senior executive. The first email might be just a simple, “Hey, are you in today?” However, ultimately you will receive a request for a list of employees and their W-2 statements.

Examples of how these requests are worded include “Kindly send me the individual 2019 W-2 (PDFs) and earnings summary of all our company staff for a quick review.” Or, “I’m analyzing some reports and need a copy of all our W-2s for last year.”

If you receive a request like this from anyone in your organization, principal included, don’t automatically comply with the request. Take the following steps to ensure the request is a valid one.

Step 1: First, don’t click on any links in the email or download any attachments. You might be installing a virus or malware.

Step 2: Don’t reply to the email that was sent to you. Instead, create a new email and double check the email address of the contact who you believe sent the request to you. Write them an email that says you are verifying their request for W-2 forms that contain sensitive customer data.

Step 3: In addition, call or text the same person to verify the request, just in case the perpetrator has successfully hacked into that person’s email account.

It’s far better to be overly cautious here than to be the direct cause of a data breach.

To prevent this type of scam from happening in your dealership, it’s recommended that you:

Limit the number of people in your dealership who can access or process W-2 forms, as well as other documents that contain sensitive data

Consider a policy that doesn’t allow anyone—even principals or senior executives—to request forms that include sensitive information via email

Enroll employees in security awareness training, which helps them to identify phishing emails

Create a validation process that enables employees to verify the legitimacy of a request that contains sensitive information, or a cash transfer request