Tax-filing season is turning into a nightmare for thousands of employees whose companies have been duped by email fraudsters. A major phishing scheme has tricked several major companies — among them, the messaging service Snapchat and disk-drive maker Seagate Technology — into relinquishing tax documents that exposed their workers’ incomes, addresses and social security numbers.
The scam, which involved fake emails purportedly sent by top company officials, convinced the companies involved to send out W-2 tax forms that are ideal for identity theft. For instance, W-2 data can easily be used to file bogus tax returns and claim fraudulent refunds.
“This mistake was caused by human error and lack of vigilance, and could have been prevented,” Seagate’s chief financial officer, Dave Morton, wrote in a March 4 email to the company’s employees.
The swindlers behind the tax scam are exploiting human gullibility rather than Internet security. They have targeted company payroll and personnel departments, in many instances with emails claiming to be requests from the company CEO asking for copies of worker W-2s.
The schemes are so widespread that the IRS sent a March 1 notice alerting employers’ payroll departments of the spoofing emails. There has been a 400% increase in phishing and computer malware incidents this tax-filing season, the IRS said.
The federal alert didn’t come soon enough for Snapchat, which on February 28 revealed that its payroll department had been duped by an email impersonating its CEO, Evan Spiegel. The Los Angeles company didn’t specify how many employee W-2s it released.
“When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” Snapchat wrote in a blog post .
Seagate acknowledged surrendering the W-2s for all of its staff (about 52,000) employed last year. The Cupertino, California, company said “several thousand” people were affected.
Both Snapchat and Seagate notified federal authorities about the phishing attacks and are offering affected workers two years of free credit monitoring.
Hundreds of companies appear to have been targeted, according to Stu Sjouwerman, CEO of KnowBe4, a Florida firm that trains employers to detect and avoid such scams.