As the year-end season ramps up with the delivery of W-2 and ACA statements to employees, cybersecurity must be a top priority. The IRS has documented the persistent risk of W-2 scams, which harvest employee information via email phishing. Phishing is one of the simplest, yet most effective, cyberattacks.
In Verizon’s 2020 Data Breach Investigations Report, phishing was the most common attack vector in breaches. For W-2s, phishing often takes the form of someone posing as an executive and requesting form access via email. Alternatively, employees themselves may receive convincing-looking messages saying their W-2s are ready — a scam seen by some providers last year.
W-2 phishing is so common that the IRS has its own protocol for reporting such incidents. Wire fraud cases also routinely feature stolen or fabricated W-2s, such as one involving $600,000 in fraudulently filed tax returns, uncovered by the Department of Justice in 2021.
So what can you do to your data safe this year-end season and beyond? Let’s dive into some reliable security tips across HR and payroll that you can share with your employees.
1. Follow email security best practices
Email is the most common phishing channel, and a lot of scams can be avoided with basic email hygiene:
- Never click on links in emails you didn’t expect to receive, or that come from people you don’t know.
- If you’re still unsure, look for grammatical mistakes, typos and lengthy return addresses — all tell-tale signs of phishing.
- Also, bear in mind that agencies like the IRS — which phishers often pretend to work for — never communicate with the public via email.
- Likewise, reputable vendors will never ask to verify sensitive data like W-2 data or login information via email.
2. Verify the identity of anyone requesting sensitive information
Let’s say you’ve run through the protocols above but still aren’t sure whether to engage with someone inquiring about tax forms.
Additional steps you can take include using an out-of-band verification channel, like chat, SMS or voice call, to verify the sender’s identity. Specific email services like Microsoft Outlook may also provide more context about senders, for instance by noting that they didn’t pass sender authentication.
Sender Policy Framework (SPF) can be configured as well, to prevent the spoofing of your organization’s email addresses. With SPF, a phishing email from someone only pretending to be in your organization’s email domain won’t make it past filters.
3. Implement and enforce supplemental security measures
Beyond the above protections, make sure to use multifactor authentication (MFA), data encryption, password management and single sign-on (SSO):
- CIC Plus employs MFA so that access to employee information requires an additional factor (e.g., authenticator code) beyond just a password.
- Encryption lowers the risk of data being intercepted and read.
- Password management and SSO eliminate the danger of weak logins being recycled across apps and other services.
Putting it all together, these security measures should be implemented when storing reports and other sensitive data, to ensure that they’re safe and only accessible to verified users.
4. Partner with your information security team
Throughout the process of securing your tax forms, collaborate closely with members of your information security team. They can help determine which technical protections make the most sense and how to set them up in a way that balances security with user experience.
Why work with CIC Plus?
CIC Plus takes every precaution to shield your tax forms and data from harm. Connect with our team to learn more about how we can help make your year-end processes as safe and efficient as possible.