We’re seeing a new variant of an old scam. Here’s what happens: a secretary gets an email from her boss — who is traveling — to please send him, as soon as possible, scanned copies of all the W2s the company issued at the end of January. The message appears to come from her manager, including having what looks like his actual email address when she looks at it in Outlook.
She gets suspicious — she just talked to her boss on the phone that morning, and he never mentioned needing that information. Before she collects the W2 PDFs that are on the human resources drive, she decides to text her boss and check on it. Great catch! The boss never requested that information.
Had she not been proactive and instead just completed the task assigned to her, she would have given a scammer all of the confidential information that is on a federal W2 form for every employee in her firm. The scammer likely would have used the information to commit identity theft and/or file false returns next year to claim the refund.
Always be vigilant and proactive. It’s better to be suspicious and double-check everything when dealing with confidential information. Try to provide those details in an encrypted email or, at a minimum, with a password on the files (and don’t include the password in the body of the email). The few extra minutes it takes could save months of heartache for all of your employees.
Alan Edwards, CISM, is chief information officer at Computerware, Inc., in Vienna, Virginia.