W-2 theft and other tax season scams to watch for in 2020
It's tax time again in the US and that means that everyone from the IRS to your bank to your company IT department is going to be warning you about tax scams. These repeated reminders are necessary because people become less vigilant as they are rushing to meet tax-related deadlines. Meanwhile, cybercrime is at an all-time high, with damages exceeding 1.5 trillion in 2018.
One common belief about tax scams is that they only involve W-2 forms, but this type of crime is becoming less prevalent compared to other email fraud. Massive data breaches in recent years have reduced the value of the W-2 form as a means to harvest personally identifiable information, though they are still used to file fake tax returns. Increased awareness and security around W-2 theft have led to better reporting and tracking of stolen W-2s. Cybercriminals are finding that other types of scams have higher returns on investment.
We've detailed W-2 scams on this blog and it's important to understand them because they are still an ongoing threat. IRS impersonation attacks are also common during the tax season. These attacks may include phone calls (including robocalls) and email messages from hackers claiming to be the IRS or the Bureau of Tax Enforcement. The IRS does not ask for money over the phone and does not make robocalls. The Bureau of Tax Enforcement does not exist. You may also receive a physical letter through the mail or another carrier. IRS letters will always have an official seal and will include an account number and contact information. When in doubt, always contact the IRS directly using the contact information from a source other than the email or letter in question.
There are a few different things you can do to protect yourself and your company from tax season scams.
The IT department should make sure that the company's security is up-to-date and configured correctly, and that the company is following best practices. Specific examples of this include:
- Deploying protection against spear-phishing and impersonation attacks
- Using Data Leak Protection (DLP) technology to prevent W-2 forms and other sensitive data from being emailed to recipients outside the organization
- Ensuring proper Incident Response and reporting tax-related scams to the IRS
The IT team should also conduct training and awareness activities with the company employees that include specific tax fraud security training. This should cover tax fraud beyond the email scams, and instructions on how to respond to an attack.
Employees should stay up to date with security training and internal policies on handling data and personally identifiable information (PII). They should also remain vigilant to handle their own personal information with care.
The IRS provides an annual list of the most prevalent tax scams. This "Dirty Dozen" list for 2019 can be found here and cautions the public beyond cybercrime. It's a good idea to review this list each year.
Barracuda Total Email Protection can help you protect your company and employees with multiple layers of email security. Barracuda Essentials is a comprehensive platform that defends your network from advanced threats like ransomware, and it includes technology like Data Leak Protection, Link Protection, and more. Barracuda Sentinel uses artificial intelligence to detect corporate messaging anomalies that appear to be spear-phishing attacks.
Barracuda PhishLine adds another layer of defense to your email security, with computer-based training that teaches employees how to recognize and avoid falling prey to phishing attacks. In the event that there is a successful attack on your organization, Barracuda Forensics and Incident Response arms your IT organization with the tools needed to respond to attacks and stop the damage in minutes, rather than hours or days.
If you'd like to check your email environment for malware and other threats right now, visit our website for a free email threat scan.