How your employer might give your tax information to identity thieves
Posted April 18, 2016
There are many measures you can take to protect your identity, such as never distributing personal information through email.
But when it's your employer that's getting scammed and giving out your information, you may feel powerless.
Last week, Sprouts Farmers Market revealed that it had fallen prey to an email phishing attack. As a result, a Sprouts payroll employee inadvertently released the W-2 forms of 21,000 Sprouts employees to cyber scammers.
The security breach occurred when the payroll employee received an email that appeared to be from a company executive requesting the W-2s of all Sprouts employees. In reality, the email had been faked and was sent for the purpose of tax-related identity theft.
According to Tripwire, the leaked information included employee names, Social Security numbers, addresses, salaries and other personal information — everything needed to file falsified tax returns and steal tax refunds.
Unfortunately, Sprouts is not an isolated case. In fact, Infosecurity Magazine calls these email phishing scams an "epidemic," reporting over 50 cases of corporate security breaches this year alone. Other high-profile targets include Snapchat, Seagate Technology and Kentucky State University.
One thing you can't avoid is giving your personal information to your employer, as they need it for compensation and tax reasons. So if it only takes one person in the company to compromise the security of every employee, what can you do to stop large-scale phishing or whaling scams? Not too much, but there are a few things that might help.
File your taxes earlier
Procrastinating until the last minute can actually increase your chances of falling victim to tax-related identity theft. The reason is that scammers want to steal your tax refund before you can file. It's all about beating the criminals to the punch.
The IRS will only process the first return it receives filed under a single SSN. Consider the Sprouts incident last week: employees who filed early will not be at risk of having their refund stolen because the IRS will not process a second return with their same SSN.
Report suspicious activity
Despite the surge of massive phishing scams this year, the IRS is taking steps to increase security and crack down on cyber crime. It relies on tips from citizens, however, to apprehend scammers and bring them to justice.
If you or someone you work with sees an email that seems suspicious, forward it to firstname.lastname@example.org.
Spread the word
You may want to forward this or another article about phishing/whaling scams to your payroll staff or anyone else who has access to your personal information.
These scams rely on ignorance and miscommunication. For example, if the Sprouts employee knew how to identify phishing scams, he or she could have easily prevented the security breach by contacting the executive who appeared to be requesting the information and verifying.
While security software may help in preventing these breaches, phishing scams are typically caused by human error, reports CSO. Human solutions like increased awareness and education, better communication and policies that prevent any one person having access to such a huge amount of sensitive information are needed to stop large-scale tax fraud.