“Forward to Human Resources” – The Dangers of Tax Season

// March 14, 2017
Reading Time: 3 minutes

Benjamin Franklin said, “In this world nothing can be said to be certain, except death and taxes.”  And so, once a year, we file our tax returns.

Any refund is often spent long before we receive it. We pay off credit card bills, book vacations and make down-payments on a new car. But what if your W-2 became compromised? What if you file your return only to be notified by the IRS that your return has already been filed, and your refund already issued?

Cyber-attacks are still such a new concept, and attackers have endless ways to obtain valuable information. Your W-2 contains extremely valuable information. A new, dangerous phishing scheme emerged last year targeting W-2s and has claimed more victims this year. The culprit? Human resources departments…and they often don’t realize they’re in the crosshairs until it’s too late.

Phishing is the fraudulent practice of sending emails that appear to be from reputable companies, enticing individuals to reveal personal information such as passwords and credit card numbers. Phishing has been around for years, and we have all probably received an email from what appears to be a reputable company looking for information when, in fact, it’s a phishing scheme. But, what if a hacker, using your CEO’s email address, requested payroll data or W-2s from your human resources manager, a member of the accounting team or anyone else who has access to this data? Welcome to the next chapter of phishing attacks called “business email spoofing”!

In January, restaurant franchise Scotty’s Brewhouse became the latest victim of this type of phishing attack. Over 4,000 employees’ W-2 forms were sent to the company’s CEO even though he never requested any of the information; a scammer used the CEO’s credentials to ask for the W-2 forms.

In a recent Forbes article, IRS Commissioner John Koskinen said, “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”

A USLI Cyber Liability and Data Security+ policy will cover claims if personally identifiable information is sent to the wrong recipient as a result of a phishing attack. Whether or not it’s tax season, our policy provides coverage with four separate limits:

  • Coverage Part A: Data Breach Liability – Security Breach Liability – Defense Regulatory Proceedings – PCI Fines & Penalties
  • Coverage Part B: Data Breach Expense – Cyber Extortion Threat Expense
  • Coverage Part C: Website Liability
  • Coverage Part D: Identity Theft

Our Hit Zone Product Underwriting Guide gives additional details regarding these four limits. As new phishing scams surface, it’s important for insureds to understand not only their exposures, but also whether their policy will offer coverage in these scenarios. Our policy can provide the peace of mind your clients need.

Please contact your Professional Lines underwriter for more information or a quote, or get a web quote today >>

As always, thank you for your support and business.

Contact Meredith Bennett,
Second Vice President, Underwriter | 888-523-5545 Ext. 2598

ThomasLangstonWritten by Tom Langston
March 16, 2017