1
W-2 Fraud
A Privacy Risk for Employees and Nonprofits
Elizabeth McGinnJames Shreve
DC Bar Pro Bono CenterMarch 3, 2017
2
Introduction & Overview
IntroductionsToday’s discussion:• What are W-2 fraud and BEC?• In the news• A typical BEC W-2 incident• Current trends in incidents• Insurance• Other issues• Practical steps to mitigate risks
3
What is…
• W-2 fraud• Business email compromise (BEC)
– Phishing– Spoofing– Compromised credentials– W-2 fraud– Wire fraud
4
In the News
• FTC reported 399,225 identity theft complaints in 2016• As of February 5, 2017, BEC-related data breaches have
affected at least 29,534 taxpayers• BEC - $3.1B in losses since January 2015
– Likely underreported
• Latest variants– W-2 incident often accompanied by wire fraud
5
A typical BEC W-2 Fraud Incident
• Fact pattern: Email received by Assistant Director of HRJohn Smith from CEO Richard Brown– Received on February 7th at 7:45 am– CEO Brown states he is reviewing salaries of individuals for
promotion– Requests W-2s for company employees as PDFs– Assistant Director Smith sends requested materials – Days later Assistant Director Smith receives another emailAnd then inquires
6
Current Trends in Incidents
• Criminals casting a broader net…– Greater range of targeted entities,
including nonprofits and small businesses
• …but the basics remain the same– Pattern of an email request to HR from a
high-ranking person still most common
• Often accompanied by attempted wire fraud
7
Insurance
• Cyber policies• Mixed results in cases on BEC
– Ameriforge Group Inc. v. Federal Insurance Co.– Apache Corp. v. GAIC– Principle Solutions Group v. Ironshore
8
Other Issues
• Is it a breach?– Legal and regulatory obligations
• Review of security program– Regulators or AGs may review after an incident
• Contractual issues– May go beyond legal requirements– Involvement in investigation– Input on issuances
• Reputational risk and employee relations
9
Addressing an Incident
• Alert the IRT and other necessary persons– Inside and external resources ready ahead of time
• See what can be done immediately• See if there were other earlier incidents• Contact the IRS and law enforcement
– Remember to maintain privilege• Contact insurance (if applicable)• Watch for follow-up incidents• Breach notifications (if needed)• Apply what you learned
10
Practical Steps
• Training– Phishing– Email
• Incident response program• Security program• Automated controls• Structural controls
11
Practical Steps
• Out of channel verification
12
Resources: Tax Professional Compromises
• Contact IRS Stakeholder Liaison When Compromise Detected – http://www.irs.gov/Businesses/Small-Businesses-&-Self-
Employed/Stakeholder-Liaison-Local-Contacts-1• Contact Impacted State Tax Agencies
– https://www.irs.gov/businesses/small-businesses-self-employed/state-links-1?_ga=1.124839048.382356062.1475763178
• Follow State Reporting Requirements (i.e. State Attorney General, State Consumer Protection Bureaus, State Police)
• File a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation
• Contact Local Police, US Secret Service, Other Law Enforcement• Report Compromise to Federal Trade Commission
https://www.identitytheft.gov/
13
Resources: Payroll Related Compromises
• Organizations receiving a W-2 scam email should forward it to [email protected] and place “W2 Scam” in the subject line
• Contact Impacted State Tax Agencies– https://www.irs.gov/businesses/small-businesses-self-
employed/state-links-1?_ga=1.124839048.382356062.1475763178• Follow State Reporting Requirements (i.e. State Attorney General, State
Consumer Protection Bureaus, State Police)• Organizations that receive the scams or fall victim to them should file a
complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation
• Contact Local Police, US Secret Service, Other Law Enforcement• Report Compromise to Federal Trade Commission
https://www.identitytheft.gov/
14
Additional Resources
• IRS Security Summit: https://www.irs.gov/uac/security-summit• Help for Taxpayers
– Common sense suggestions can make a big difference. See IRS Security Awareness Tax Tips for a recap of IRS tips to help secure data.
– Also see Publication 4524, Security Awareness for Taxpayers• How Tax Preparers Can Help
– Tax preparers are critical and valued partners in the tax administration process, and have an important role to play in helping prevent identity theft.
– Tax preparers should review their own security features. IRS ublication 4557, Safeguarding Taxpayer Data, provides an easy check list for you to review and update your security plan.
– Tax preparers can share Publication 4524 with clients to help raise awareness about important security steps.
• How Businesses Can Help– Businesses and other organizations also can help combat identity theft by helping
educate their employees, clients and customers. Businesses can share Publication 4524 or create their own messages
15
Additional Resources from the IRS
• Tax Tips (https://www.irs.gov/uac/irs-security-awareness-tax-tips)• Safeguarding Taxpayer Data: Create Strong Passwords
Protect Your Clients; Protect Yourself Tax Tip Number 8, January 25, 2017• What to Do If You Suffer a Data Breach or Other Security Incident
Protect Your Clients; Protect Yourself Tax Tip Number 7, January 18, 2016 • Safeguarding Taxpayer Data: Monitor Your EFIN for Suspicious Activity
Protect Your Clients; Protect Yourself Tax Tip Number 6, January 11, 2017
16
Additional Resources
• Federal Trade Commission “Start With Security”– https://www.ftc.gov/tips-advice/business-center/guidance/start-security-
guide-business
• Department of Commerce’s National Institute of Standards and Technology (NIST) – Small Business Information Security: The Fundamentals– https://www.nist.gov/node/1111801
• Center for Internet Security (CIS)– https://www.cisecurity.org/critical-controls.cfm