IRS Warns of Phishing Scam Involving Tax-Related Information

According to the IRS, a new phishing scheme is on the rise that targets employee W-2 forms and related records. As part of the scheme, a fake email purportedly from the CEO or another company executive is typically sent to a payroll or HR professional requesting employee W-2 forms and/or other tax-related information pertaining to company employees. The email, according to the IRS, may request that the recipient "kindly send the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review," or by some other verbiage convey an immediate need by the CEO or other company executive for such data.

Rather than protest or question the presumed CEO, the recipient of the email may innocently provide the requested W-2 forms and other confidential information. The IRS indicates that the scheme has already claimed several corporate victims.

It is widely reported that the bad actors behind these attacks may be using the W-2 forms to steal employee tax refunds. Indeed, the IRS is warning taxpayers that if a person e-files a tax return and discovers that a return has already been filed using that person's Social Security number, or if the IRS sends the person a letter saying that it has identified a suspicious return using the person's Social Security number, he or she should visit the IRS's identity theft web page and follow the IRS's instructions.

What to Do?

An effective strategy to mitigate the risk of this and other phishing schemes should focus on the organization's people, processes and controls, and technology.

First, focus on educating employees about the risks posed by phishing schemes and similar threats. Such training should review a variety of cybersecurity threats and best practices. A security-focused corporate culture will reduce the risk that companies are victimized.

Second, focus on internal policies and controls related to information governance practices. Corporate policy should prevent the dissemination of employees' confidential information, including W-2 forms and other tax-related information, outside of an approved protocol that does not allow circulation by informal email (either at all or without further verification as to the authenticity of the information request).

Additionally, Stroz Friedberg, a global leader in investigations, intelligence, and risk management, advises that companies consider taking one or more of the following technical steps:

• Spam Filtering: Enable or install spam filtering functionality on email servers. Spam filtering increases employee efficiency by eliminating useless emails and reducing email traffic. Spam filtering also plays an important role in cybersecurity by preventing many phishing or other malicious emails from arriving in employee inboxes.
• DLP: Install a data loss prevention ("DLP") solution to monitor and control network and email traffic. DLP solutions allow corporations to monitor, alert on, block, and encrypt the transmission of certain types of data, such as Social Security and credit card numbers.
• Secure Transmission: Limit the ability to transmit Social Security numbers and certain other confidential identifiers or data via regular email transmission. Transmission limits can be obtained through the use of DLP solutions, other programs or applications, or corporate policy. Where companies are unwilling or unable to address the issue through a technical solution, a corporate policy barring standard email transmission of certain types of sensitive data can reduce certain cyber risks, including those associated with phishing schemes.
• Subject Line Configuration: Configure the email server to include a note such as "Outside Sender" in the subject line of any email received from someone outside of the company. Phishing schemes often involve an attempt by the attacker to trick email recipients into believing that they have received a trusted email from another internal company employee. An employee who receives an email with a subject-line note "Outside Sender," but purporting to be from an internal colleague, can more easily recognize a possible phishing attempt.

The tax-related phishing scheme identified by the IRS is another in a recent spate of events bringing increased scrutiny to corporate privacy and data security practices. In addition to the recommendations outlined above, companies should reassess enterprise-wide privacy and data security policies and procedures to ensure that data are adequately protected and that companies are satisfying all applicable privacy and data security compliance obligations.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.

Justin E. Herdman
Cleveland
+1.216.586.7130
jherdman@jonesday.com  

Todd S. McClelland
Atlanta
+1.404.581.8326
tmcclelland@jonesday.com  

Jay Johnson
Dallas
+1.214.969.3788
jjohnson@jonesday.com  

Chad M. Pinson, Managing Director of Stroz Friedberg, and Frances M. Parker, an associate in Jones Day's Atlanta Office, contributed to this Alert.

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.