• by Jess Nelson , March 17, 2017

Email phishing and malware scams have increased 400% this tax season, according to a recent alert by the Internal Revenue Service (IRS). 

Phishing scams can have serious consequences for brands and organizations, ranging from financial loss, data theft, and consequences to brand loyalty.

One of the most common tactics employed by cybercriminals is a W-2 phishing scam where a fraudulent email sender imitates a high-level employee. Also known as business email compromise (BEC) or a whaling spoofing attempt, these social-engineering attacks can cause companies to lose thousands of dollars, as well as reveal personal and identifiable information about their employees. 

“Scammers are asking for you to supply information related to the income reporting form W-2 that employers provide to employees around this time of year,” says Chet Wisniewski, senior security advisor at Sophos.

Sophos, a cyber-security company, recently launched a phishing attack simulator and training program to help brands recognize what phishing attacks look like and the corrective actions that mitigate data loss and financial theft. 

Wisniewski recommends that HR and finance departments be on high alert for any emails requesting information related to payroll records. This isn’t just an enterprise concern either, as the IRS recently released a consumer alert expressing how W-2 email scams are now targeting school districts, nonprofits, and tribal organizations.

"This is one of the most dangerous email phishing scams we’ve seen in a long time,” states IRS Commissioner John Koskinen in an alert posted online in early February. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”

Sophos has also seen “claims of free tax processing via e-file which are designed to gather your social security number,” says Wisniewski. “Stick with well-known services and never respond to email solicitations.” 

“The IRS will never contact you for personal information or about tax-related matters via email,” says Wisniewski. 

If you do receive a dubious email claiming to be from the IRS, do not click on any links or attachments. Instead, report all unsolicited mail to the IRS and email phishing@irs.gov.