Tax Filing Fraud

Tax returns and W-2s are information rich documents that contain the name and Social Security Number of an employee, as well as information concerning their salary and address, and personal behavior and characteristics (e.g., the charities that they support, their sources of income, their investments, and their relationships with financial institutions). Each year cyber-attackers target these documents. If successful, an attacker may attempt to sell sensitive information contained in the file. Other attackers may attempt to use tax-related documents (e.g., an employee’s W-2) to submit a fraudulent income tax return in the hope of obtaining any refund owed to an employee.

There are many methods by which an attacker may attempt to obtain tax related information. The most visible have been large hacking attempts against the Internal Revenue Service itself. Other attackers attempt to obtain tax documents from employers. For example, in 2016 IRS Commissioner Kohn Koskinen highlighted spear phishing attempts against human resource departments: “This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.” The following provides a snapshot of information regarding tax filing fraud.

 Employers should consider taking the following steps to help prevent a data breach of your employee tax records:

1)         If you receive a request from an executive to email large quantities of employee information, verify that request by telephone before responding.

2)         If the request appears legitimate, consider transmitting the data using a secure connection and not by email.

3)         If you need to transmit tax information by email, encrypt the document before sending it.

4)         Never use a formulaic or easy-to-guess password for an encrypted file (e.g. employee's last name).

5)         Do not publicly post any information that your employees may need to access their tax related information online.

6)         Track the rate of tax related fraud reported to your Human Resource department each year. If the quantity of tax reported fraud is significantly greater this year than it was in previous years, consider investigating whether data may have been breached.

7)         If you have fallen victim to email phishing, talk to your outside counsel about notification requirements and whether it makes sense to provide employees with credit monitoring services.

1. https://www.irs.gov/uac/Newsroom/Consumers-Warned-of-New-Surge-in-IRS-Email-Schemes-during-2016-Tax-Season-Tax-Industry-Also-Targeted .

2. Id.