How to stop hackers from stealing your W-2 tax forms

Human resources departments can be victimized by hackers seeking workers' tax information, experts say.
Human resources departments can be victimized by hackers seeking workers’ tax information, experts say.
(Dreamstime / TNS)

Cybersecurity experts at this week’s RSA security conference are warning people to take steps to prevent hackers from stealing their W-2 forms and other sensitive tax documents.

The warning follows several incidents in which hackers sent company officials what appeared to be legitimate requests for copies of their workers’ W-2s.

Such “phishing” attacks are increasing — and can be avoided, said Kevin O’Brien, chief executive of GreatHorn, a Boston-based security company.

In an interview, O’Brien discussed the problem and what to do about it.


Traditionally, Americans have received their W-2 forms via “snail mail.” Do they also have the option to get them electronically? How are hackers getting involved in this aspect of our lives?

Most companies today have digitized their tax forms. Organizations, for the sake of efficiency, often default to sending electronic copies of W-2s, even when they also send paper copies in the mail.

What’s more concerning here is that these documents are almost always stored in digital form by the companies themselves. That makes these files a ripe target for attackers because there are multiple people who can access, share and ultimately breach employee data over any number of channels.

Is this emerging as a significant problem?

The Internal Revenue Service published a warning last year on this, and re-flagged it as being more sophisticated earlier this month. The W-2 scam is a highly effective way that ordinary Americans are seeing their most sensitive data lost to attackers.

If you read the IRS’ advice, it’s largely about what to do when a business user recognizes one of these attacks. Sadly, relying on folks who are just doing their jobs — and who are likely under pressure as tax season rolls around — to somehow identify sophisticated spoofing attacks and then flag them is a fool’s errand.

The reality is that even with strong, foundational security in place, nearly 1% of all emails that get around existing security tools businesses invest in have indicators of fraud within them. That sounds small until you realize that by the end of this year, over 132 billion emails will be sent every single day. That’s a lot of malicious messages that could trick someone into giving up your family’s most private data.

The key problem here is “cognitive load,” which refers to the total amount of mental energy that someone can expend. If you take the typical [human resources] or finance professional, heads-down on getting all of the end-of-year financial data required assembled prior to sending out staff W-2s, you’ll see that they have a very high overall mental load going on.


There’s a limit to how much anyone can hold in working memory at any given time, which is why even with training on these types of threats, attackers who understand social engineering and psychology can still trick companies into giving up W-2s and other sensitive data.

What is the most common mistake people make that exposes their information to hackers?

The most common mistake we see is in thinking along the lines of, “Oh, we can just tell people to be careful!”

The challenge is that many people underestimate cybercriminals. These aren’t kids living in their parents’ basements any longer. While there was a time when that may have been a [somewhat] accurate portrayal of the state of cybercrimes, today’s hackers are most commonly either career cybercriminals backed by international crime syndicates or foreign nation states and military groups.


So long as we think of cybercrime as being somehow less of a threat than it is, we’ll make poor decisions about how to respond.

What are best ways to prevent hackers from getting people’s tax details?

There are steps that can be taken to minimize the kinds of threats described above — simple things like automatic warnings that flag that a message is a fraud, for example.… The essential step here is in being willing to spend the time, money and effort to go beyond simple feel-good actions and dedicate risk-appropriate resources to solving this problem.

W-2 scams can be stopped. It requires dedicated technology and a keen understanding of just how hard it is to rely on intuition when it comes to spotting and safeguarding threats to sensitive data — relying on old-school network-based tools to scan email or, worse yet, training programs that are proven time and again to be ineffective.


As private citizens, we need to learn to demand that our employers take appropriate measures to safeguard this information. Ask your company how it’s responding to the IRS’ warnings; don’t accept brush-off answers or the fallacious “it won’t happen to us” reasoning that so many organizations fall victim to.

Statistically, 91% of all data breaches begin with a simple phishing attack. If your company can’t point to specific and measured defenses against these types of threats, your tax information has a bright target painted on it for cybercriminals.



How to track down an old retirement account

Why your IRS tax refund may be delayed this year

Column: Trump’s IRS stages a stealth attack on Obamacare