ACFE Public Information Officer
It's unfortunately common this time of year for individuals to file their taxes only to find out that someone has already claimed their return. This type of identity theft can be upsetting, but it may be even more upsetting if they found out their identity was stolen not through a fault of their own, but due to their employer falling victim to a scam.
Savvy cybercriminals are using business email compromise schemes, or "spear-phishing" tactics, to acquire personally identifiable information (PII) through employers. They spoof an email address or phone number to make it look like they are someone from the company's human resources management company or accounting firm — or even someone from within the company itself — and ask for employee W-2s. Once they have the W-2s, they are able to steal employees' identities.
This year, the IRS warned that cybercriminals are widening their target scope from just large corporations to smaller organizations, such as nonprofits and school districts. According to the ACFE's 2016 Report to the Nations on Occupational Fraud and Abuse, small organizations often have fewer anti-fraud controls in place than larger organizations — a weakness that makes them easier targets for fraudsters.
Bruce Dorris, J.D., CFE, CPA, CVA, vice president and program director for the Texas-based Association of Certified Fraud Examiners (ACFE) said, "Fraudsters and cybercriminals are continuing to search for new victims with this unique phishing scam. Many of these organizations have smaller budgets and do not have personnel to defend against these attacks, so nonprofits and school districts must invest and raise awareness in the latest fraud detection and prevention techniques to protect themselves."
Employers can protect themselves and their employees by:
- Educating employees on email best practices
- Never sharing PII over the phone or via email
- Reporting suspicious behavior
The IRS has asked employers who receive phishing emails to forward them to firstname.lastname@example.org. Employers must remember that as technology evolves, so do fraudsters. The best defense against fraud during tax season is to be wary of anyone asking for sensitive information and to report any suspicious behavior.