Income tax identity theft is a multi billion dollar problem that costs the government and, by extension, we the taxpayers billions of dollars each year while tremendously inconveniencing the individual taxpayers whose identities are stolen as it generally takes the IRS months to fully investigate each instance of identity theft and send to the victimized taxpayer his or her legitimately owed tax refund. Armed with a potential victim’s name and Social Security number, it is a simple matter for an income tax identity thief to file a phony return with a counterfeit W-2 to obtain a fraudulent income tax refund.
I have been warning you for a year about identity thieves tricking companies into providing employee W-2s to them. These stolen W-2s contain all of the information the identity thieves need to file a fraudulent income tax return. The scam works by sending phishing emails to HR and accounting departments within companies often posing as the CEO of the company or someone else in upper management requesting copies of all employee W-2s under various guises. Other times, payroll management companies have been targeted using the same type of phishing emails. In some instances, the phishing emails have been recognized as scams, but in other instances, companies have unwittingly handed over thousands of W-2s to clever identity thieves.
This scam continues to plague companies both big and small and recently, Monarch Beverage, Indiana’s biggest beer and wine distributor acknowledged that not only had it recently become a victim of this scam turning over W-2s of more than 600 employees to identity thieves, but that in the course of its investigation into the matter, it had been victimized last year by the same scam.
All companies have got to do a better job of training employees to recognize phishing emails and installing anti-phishing software programs. In addition, dual factor authentication should be used before transmitting sensitive data to make sure that the person to whom the material is being sent is really who they represent they are. These same lessons that apply to companies also apply to all of us as individuals, as well. Phishing is done to steal the identities and information of unwary individuals every day and the best way to protect yourself is to start with remembering my motto, “trust me, you can’t trust anyone.” Never provide personal information to anyone who asks for it by phone, text message or email unless you have absolutely confirmed that the request is legitimate and the person or company requesting the information has a legitimate need for the information. Never click on links or download attachments from emails or text messages unless you have confirmed they are legitimate because those links and attachments could contain keystroke logging malware that can steal all of the information from your computer and use it to make you a victim of identity theft. Finally, keep all of your electronic devices including your smartphone up to date with the latest security software patches.