Tax Season = Scam Season

February 08, 2017

I'm sure everyone is aware that taxes will be due in a little over 2 months; corporations, small businesses, and individuals are scrambling to collect documentation to file on time. In all the mass confusion and stress, there are thieves plotting against you to steal your data. Sparkhound just wanted to send out a quick reminder to spark conversation and awareness in your organization.

The Target

W-2  forms are the main target in phishing scams this time of year; each form holds Social Security Numbers, Names, Addresses, and wage data. This valuable information will be used most often to file fraudulent tax returns in the employee's name. It can also lead to other types of Identity Theft, most notably, opening credit cards in the employee's name.  

The Threat

Most of the fraud will be initiated through a phishing scam using a spoofed email; it will appear to be from someone of authority within your organization, asking for W-2 information as quickly as possible. Through some reconnaissance, the scammer will identify employees in the HR or Payroll department and target them with the email request. The email will typically ask for all "active" records and will ask that you attach to the email response or drop it to a file sharing application.  

If that wasn't enough, the IRS has recently warned organizations that once the W-2 fraud is successful, the same fraudster will request a wire payment to satisfy a tax debt owed.   

The Vulnerabilities

These tax scams are able to be perpetrated because of the existing vulnerabilities present in most organizations.

  • People:  Social Engineering is a very successful method of stealing data, going after the weakest link of an organization's information security defenses. The attackers will prey on this hectic time of year, will use forceful demands, and know exactly what to say to get the information they need. Information Security Training and Awareness is usually lacking for non-IT staff and the cyber criminals exploit it. 
  • Process:  The W-2 scheme mentioned above impacts companies of all sizes on a regular basis, year after year, because processes for receiving and processing those types of requests are not formalized and documented. SOPs are not written or not shared among the HR and Payroll departments, with specific roles and responsibilities. Additionally, most companies don't review sensitive access on an annual basis that could allow lower level staff having excessive access to W-2 information that is being requested.  
  • Technology:  Not every company has security controls in place to thwart phishing attacks. The use of web gateways to prevent connecting to malicious links, email gateways to block or scan suspicious emails with embedded links and attachments, or data leakage controls to prevent sensitive information from leaving the company's network. 

The Answer

There are many things that you can do to protect your company's data in regards to phishing scams, most include technologies that may exceed your budget. Alternatively, you can address the bulk of threats by focusing on the People and the Processes. If you focus on improving your processes and providing end user awareness, many of these scams will be sniffed out.  

  • HR and Payroll need to have specific Policies, Processes, and Procedures that address the request of sensitive information, the appropriate levels of approvals, the method to transmit the data, and the confirmation of receipt.  
  • Review access to W-2 forms and other systems that contain sensitive information; this should be an annual exercise at a minimum.
  • Make sure that staff are exposed to Information Security Training upon hire, on an annual basis, and if feasible, monthly security tips. Awareness can go a long way in preventing damage to your company and your employees. Make sure they know not to trust the "From" header in an email; it can easily be spoofed to appear as if it's an internal email or one from a trusted source. Also, for odd or suspicious emails, have them hover with their mouse over the sender's email addresses to validate the sender's domain and make sure they double check the spelling of the domain.

Sparkhound is here to help if you have any questions on improving your information security programs!

Information and material in our blog posts are provided "as is" with no warranties either expressed or implied. Each post is an individual expression of our Sparkies. Should you identify any such content that is harmful, malicious, sensitive or unnecessary, please contact

Meet Sparkhound

Review our capabilities and services, meet the leadership team, see our valued partnerships, and read about the hardware we've earned.

Engage with us

Get in touch with any of our offices, or check out our open career positions and consider joining Sparkhound's dynamic team.