E-Mail Scheme Requesting W-2 Data Costs Employers


Earlier this year, payroll department employees at four companies found themselves providing information from employees’ Forms W-2, Wage and Tax Statement, to individuals posing as company executives. The data included names, Social Security numbers and salary information.

The imposters’ weapons of choice: spoofing e-mails. The cybercriminals engaged in a phishing scheme that has resulted in warnings to employers from the Internal Revenue Service.  Information gained from such a scheme can be used to file fraudulent tax returns.

This is the 21st century version of a note passed to a bank teller saying that a holdup was taking place, except no guns were used and personal information rather than money were given up electronically. For the companies affected, the scheme could inflict long-term financial costs.

New and old economy industries were affected by the scam. In each case, a payroll employee responded to a credible-looking e-mail attached to a company official’s name by sending W-2 information to the third party.

The data breaches led companies to implement additional security and training measures, or incur the expense of providing employees with identity theft or credit monitoring for several years. One company, which requested anonymity, told Bloomberg BNA that it did not have a dollar amount for providing identity-theft insurance and monitoring for two years.  The company also said that it planned to strengthen the security and privacy awareness training it already conducts. Another company told Bloomberg BNA that it would not release the cost of providing credit-protection services.

Identity-theft insurance can cost $25 to $60 a year for each employee, and coverage may include credit alerts and monitoring, the National Association of Insurance Commissioners said.

What can employers do to combat this problem? In addition to more security measures, they can tell employees to follow a suggestion by IRS Commissioner John Koskinen and check before responding to an official-looking e-mail from the chief executive officer, for example, that asks for a list of company employees.

Employees whose employers experienced a data leak can go to the Federal Trade Commission website IdentityTheft.gov and report the security breach.

Take a free trial to Bloomberg BNA’s  Payroll Library , your one-stop resource for reliable, up-to-date guidance and analysis in every area of payroll administration and compliance.

Follow BBNA on Twitter  @BBNA or join the Bloomberg BNA U.S. and Global Payroll group on LinkedIn.