On the business side, IdentityForce recorded more than a 60 percent year-over-year increase in organizations seeking identity theft protection – for either their employees or customers – because of personal information being compromised. 

The fraudsters who perpetrate this type of theft are highly sophisticated, readying their tactics and targets well before tax season begins. One of the primary ways that cybercriminals gain access to employees' tax information is through what is known as a Business Email Compromise (BEC) scam. You may have heard this referred to as "spear phishing."

BEC's occur when the email address of one of your company's executives (often the CEO) is compromised or spoofed. Scammers will send an email from this account, generally targeting HR and/or payroll. In it they will request that the employee send them a file containing the W-2 forms of some, or all your staff. Typically, the scammer will position the email as an "urgent need." If the recipient of this phishing attempt fulfills the request, the crook will use your employees' W-2 forms to commit tax fraud and claim refunds on their behalf.

While this form of phishing may seem obvious to spot, it has been alarmingly effective for those who lurk in the shadows of the Dark Web. In 2017, nearly one in four organizations that reported receiving a W-2 phishing email acknowledged they had fallen for the scam.

Wanting to be responsive to a company executive's request is a normal employee response, which makes it understandable how so many are duped. As organizations have become more agile in recent years, many have noted that fixed jobs are coming to an end. More people have their hands in various aspects of the business, with access to more information. This has made companies increasingly susceptible to phishing attacks as cybercriminals can take a shotgun approach and target a wider range of employees.

The threat of cyberattacks is ever-present for companies of all sizes, in all industries. What matters is how you prepare your employees to identify phishing attempts. Consider these three tips:

1. Start training during the onboarding process

Hackers and cybercriminals are brilliant at what they do, however alarming their tactics may be. They will research your company's employees and go after those who have been newly hired or are junior level. Eager to please in their new job, these workers make for an easy target to respond to a BEC scam.

2. Double-check the accuracy of the email address

Those who send malicious emails often do so by making a minor tweak that employees can easily overlook. Hover over the email address in the "From" bar to ensure the formatting is accurate. If you have any doubt, pull up an old email that you have received from the that person for comparison.

3. Verify all requests for sensitive information

Email is not a secure method to transfer information because it could compromise company or employee data. If you receive a request and it seems real, always confirm with a phone call, text message, or quick in-person discussion. If it is legitimately a colleague who's asking for the information, be sure to talk to your IT team to encrypt the data before sending it.

Raising awareness and being vigilant are key, but ultimately it will be your employees who make the decision to respond to illicit emails or not. In today's digital world, there is simply no way to defend against all fraudsters.

If the worst-case scenario does occur, and you are breached, there are tools to help protect the identity of your employees. One way to get ahead of a breach and minimize damage is through partnering with an identity monitoring service provider. In fact, the fastest-growing, progressive employer benefit that HR teams everywhere are implementing is Identity Protection Services (IDPS). By adding IDPS to your benefits stack, employees can rest easy knowing that their PII is being monitored 24/7. Such services can help prevent or, at minimum, deliver rapid restoration and recovery to restore your good name.

For Human Resources or Total Rewards professionals who might be considering offering identity protection, be sure to perform a thorough review of the options available to you. 

Beyond the obvious advantages of protecting employee and company intel, identity theft protection has been recognized by the IRS as a pre-tax benefit. Whether employer paid, or offered as a voluntary benefit, offering IDPS is appealing to current and prospective employees in today's digital world.