How your employer might give your tax information to identity thieves

Posted April 18

Sprouts Farmers Market has added its name to the long list of companies who were victims of tax fraud this year, compromising the tax information of 21,000 employees. But there are a few things you can do to make sure your company isn't next. (Deseret Photo)

There are many measures you can take to protect your identity, such as never distributing personal information through email.

But when it's your employer that's getting scammed and giving out your information, you may feel powerless.

Last week, Sprouts Farmers Market revealed that it had fallen prey to an email phishing attack. As a result, a Sprouts payroll employee inadvertently released the W-2 forms of 21,000 Sprouts employees to cyber scammers.

The security breach occurred when the payroll employee received an email that appeared to be from a company executive requesting the W-2s of all Sprouts employees. In reality, the email had been faked and was sent for the purpose of tax-related identity theft.

According to Tripwire, the leaked information included employee names, Social Security numbers, addresses, salaries and other personal information — everything needed to file falsified tax returns and steal tax refunds.

Unfortunately, Sprouts is not an isolated case. In fact, Infosecurity Magazine calls these email phishing scams an "epidemic," reporting over 50 cases of corporate security breaches this year alone. Other high-profile targets include Snapchat, Seagate Technology and Kentucky State University.

One thing you can't avoid is giving your personal information to your employer, as they need it for compensation and tax reasons. So if it only takes one person in the company to compromise the security of every employee, what can you do to stop large-scale phishing or whaling scams? Not too much, but there are a few things that might help.

File your taxes earlier

Procrastinating until the last minute can actually increase your chances of falling victim to tax-related identity theft. The reason is that scammers want to steal your tax refund before you can file. It's all about beating the criminals to the punch.

The IRS will only process the first return it receives filed under a single SSN. Consider the Sprouts incident last week: employees who filed early will not be at risk of having their refund stolen because the IRS will not process a second return with their same SSN.

Report suspicious activity

Despite the surge of massive phishing scams this year, the IRS is taking steps to increase security and crack down on cyber crime. It relies on tips from citizens, however, to apprehend scammers and bring them to justice.

If you or someone you work with sees an email that seems suspicious, forward it to

Spread the word

You may want to forward this or another article about phishing/whaling scams to your payroll staff or anyone else who has access to your personal information.

These scams rely on ignorance and miscommunication. For example, if the Sprouts employee knew how to identify phishing scams, he or she could have easily prevented the security breach by contacting the executive who appeared to be requesting the information and verifying.

While security software may help in preventing these breaches, phishing scams are typically caused by human error, reports CSO. Human solutions like increased awareness and education, better communication and policies that prevent any one person having access to such a huge amount of sensitive information are needed to stop large-scale tax fraud.

twitter: @zamturner


Please with your account to comment on this story. You also will need a Facebook account to comment.

Oldest First
View all