Employees today represent an increasing security risk for companies, especially with the growing number of sophisticated phishing attacks targeting organizations. However, while 66 percent of companies acknowledge that employees are the weakest link in the security chain, almost half provide just one basic training course for the entire workforce. How, then, would an employee react to a spoofed email purporting to be from the company’s CEO or CFO asking for sensitive information?

If tax season is any indication, the answer is unfavorable.

In the U.S. in 2016, there was a significant uptick in companies falling victim to phishing scams aimed at tricking employees into sending W-2 forms to criminals who then use the records to file fake tax returns, and this trend is only increasing this year. These scams have quickly become one of the most prolific forms of cybercrime, largely due to the fact that employees believe the requests are coming from trusted sources and do not know how to spot the warning signs.

The schemes are popular amongst criminals because of the opportunity for mass fraud, given all U.S.-based companies are required to issue W-2s. In fact, these schemes have already affected more than 29,500 people this year — a 25 percent increase from what Experian saw last year by this time.

Even more, the Internal Revenue Service recently issued a warning that W-2 email scams have evolved beyond the corporate sector to target school districts, tribal organizations, nonprofits and healthcare companies as well. Although the agency has taken steps to reduce fraud — setting new tax filing deadlines and delaying refunds — individuals are still not alerted when a tax form has been filed in their name, legitimately or otherwise.

The reality is that companies are on the frontlines of protecting their employees from these attacks, and technology alone cannot solve a security problem that preys on human error. Instead, proper education and training must act as a crucial defense mechanism, and privacy professionals play a major role in this process.

Below are key steps privacy professionals should ensure their companies are taking to better identify these phishing scams and protect their employees.

Educate HR teams about the dangers of CEO-spoofing scams, and conduct training sessions

A recent Ponemon study found that only 45 percent of companies make security training mandatory for all employees and less than half of organizations include phishing and social engineering attacks in these courses. It’s vital that data protection and privacy programs are put in place and conducted on a regular basis, especially around tax season and with HR departments, as they maintain sensitive employee and company data and are often the target of these attacks.

Trainings should focus on identifying phishing emails and requests for personally identifiable information that should never be sent in an email, such as home addresses, phone numbers, passwords and Social Security numbers. While it’s critical that HR teams receive ongoing training, these courses should be mandatory for all employees and system users within an organization as attackers will target the weakest links, which can include third-party vendors and partners. This is an important area where corporate executives should look to privacy professionals for direction and support.   

Empower employees to question requests for sensitive information

Many recent W-2 scams have involved a hacker posing as a CEO or senior executive and asking for a comprehensive PDF of information to be provided on a tight deadline. Instead of questioning why the CEO would need so much sensitive information so quickly, employees scramble to prepare the data and provide it under the deadline.

In these instances, training alone is not enough. Employees must be reminded by experts within the organization that even if the requestor appears to be legitimate, any requests that are out of character bear further scrutiny.

Privacy professionals should provide guidance on appropriate responses to requests for large amounts of personally identifiable information. For example, simple verbal confirmation of the request can often serve as an efficient method of authentication in such situations.

Restrict access to files containing sensitive information

Instances of W-2 fraud always involve employees exporting a large amount of data to an external source. If there are fewer employees with access, companies will have tighter control of the system as well as have fewer employees to train at that level. Technology can also be part of the solution by creating network controls that require additional approval from a second source to export bulk data.

Some organizations have implemented flags to hold emails sent to external audiences if they contain certain protected words. Others have placed limits on the amount of data that can be accessed or sent by one employee at one time. Privacy professionals should work with corporate executives and IT teams to ensure best practices are put in place, such as two-step authentication or required manager approval for all sensitive actions involving money transfers and employee payroll data. In general, informed and trained employees, in conjunction with properly secured systems, are key to protecting against W-2 scams. 

Ensure employees are provided with strong identity protection

Employees are a company’s greatest asset and ultimately face the largest burden in terms of the long-tail implications of an internal data breach. The vast amount of sensitive information contained in W-2 forms puts employees at risk for identity theft and fraudulent tax returns, among other issues.

Privacy professionals have a responsibility to ensure the company’s employees are properly protected against these threats. This is done by having the proper protocols like security training programs and incentives in place so that employees know how to spot cybercriminals and are equipped to report security issues and safeguard confidential and sensitive information.

At the end of the day, even the most advanced security systems are not always enough of a barrier to protect against a motivated attacker — especially when they rely on negligent employees. Training and education programs must take priority, and specifically address phishing scams that “tax” companies during more seasons than one. 

photo credit: kenteegardin IRS 1040 Tax Form Being Filled Out via photopin (license)