HR Jetpack


This video is premium content

Register or sign in to gain access.

Lesson Content

Tax season is a busy time for everyone, including criminals. Every year thieves steal W-2s and other tax data from thousands of Americans and then use the data to file fraudulent tax returns in those people’s names. On some dark web marketplaces, you can purchase a 2016 W-2 for as little as four to twenty U.S. dollars worth of Bitcoin.

So how do all of these tax forms end up online? There are many forms of theft and fraud aimed at stealing this data, but one of the most common methods now is to target corporations to steal and their employee data. A common tactic is to target an HR employee with a phishing attack or by email spoofing a supervisor’s email address. Basically, an email which appears to come from a manager or someone you would know, but is actually sent from an attacker. These emails would have a message requesting you to email them all of the employee W-2 data.

Many or maybe even most people might be suspicious if they received such a message. They might call that supervisor on the phone to confirm the order, or take another step before just sending it along. But clearly, some people are falling for these attacks.

This is pretty much exactly what happened to Sunrun, a solar panel manufacturer with employees all over the country. An attacker sent a spear-phishing email to the payroll department which appear to be from the company’s CEO Lynn Jurich. The email requested that all employee W-2s be emailed back. It was not detected as a scam at the time, and the Social Security Numbers, Salary details, and other private tax-related data was sent directly to the attacker. In the end, W-2s for roughly 3,400 employees nation-wide were compromised through that one email exchange.

Cyberattacks can be hugely profitable even if the campaign is only successful on a few percent of the attempts. Within an organization, it just takes that one weak link to compromise millions of dollars worth of data. Just remember that phishing emails prey on people’s fears, like an impatient boss who wants a quick reply. If ever something feels wrong, unusual, or out of place, take the time to verify the authenticity of the request.

Michael Wilson


Michael Wilson

Michael Wilson works with small businesses to build and protect their brands online. He is an IT Generalist whose primary services include: Web Design & Development, Cybersecurity Consulting & Training,...

Michael's Full Bio