It is deceptively simple, but effective - impersonate a CEO by "spoofing" his or her email and request W-2 information from human resources. Coming at the height of tax season, busy HR staff may not stop to question the true identity of the sender.
In one case, a chief financial officer who learned of a breach notified the state immediately. Twenty employee W-2s had been compromised. State officials quickly discovered fraudulent returns had already been filed for several. Luckily, refunds had been blocked based on the suspicious nature of the filings. This story comes from Georgia, but it is happening across the country.
Earlier this month, the Internal Revenue Service released a warning for human resource professionals. We shared the information with our readers in a March 3 blog post.
Number of victims growing
Fifty companies have reportedly fallen for the scheme. They range from the small Georgia company to giants such as Weight Watchers and data storage Seagate Technologies in Northern California.
The deputy director of the Federation of Tax Administrators, Verenda Smith, told the Wall Street Journal, "we are definitely talking about many, many thousands of employees and ... some companies that aren't confessing to it" yet.
It is easy to see how this can happen. Anyone who works at a large corporation probably responds to many internal emails each day that come from people they have never met. Verifying identity is not always as easy as walking down the hallway. Whether a new employee or someone with too much on their plate, it is often easiest to send the request information without a second thought.
What to do if your personal information is compromised?
Seagate acknowledged that several thousand employees were affected. The company will offer credit monitoring for affected employees.
If your employer has not offered an equivalent, you should ask that they do. You can also take a proactive step and file Form 14039, Identity Theft Affidavit.
If your employer did not admit to a data breach, you might not find out until you try to file your tax return. Receiving correspondence from the IRS that your return was rejected as a duplicate is a red flag. Respond quickly by speaking with an experienced tax attorney about your situation.