W-2 Tax Form Tax ScamsAs the deadline to file taxes draws nearer, the scammers and identity thieves who thrive on stolen tax returns this time of year are ramping up their schemes. Nobody is exempt from falling for a tax scam, not even cybersecurity professionals, as shown by evidence that Virginia company Defense Point Security, LLC (DefPoint) recently fell victim to a phishing scam. As a result, the W-2s of all employees who worked at DefPoint in 2016 were handed over directly to scammers. The cherry on top of this story? According to its website, DefPoint is a top provider of cybersecurity to the federal government. Although we’d all like to think that government agencies and the contractors which service them are impenetrable, as we’ve seen from the many breaches involving government entities in recent years, that simply isn’t true. How did this breach happen, and what can you take away from it?

DefPoint was hit by a targeted spear phishing campaign

Spear phishing, which is a type of phishing that is designed as emails or other communication sent to specific people, disguised as being from a trusted or known entity — such as a company CEO or an overseas client — was the culprit in this case. According to reporting by cybersecurity blogger Brian Krebs, employees were notified by DefPoint’s CEO on March 16 that their W-2 data was handed over to fraudsters. Currently, there isn’t any information on when the breach occurred or how many employees were impacted, but Krebs asserted from data gathered on the company’s LinkedIn profile that the number probably ranges between 200 to 300 former and current employees’ data was stolen. We discussed the dangers of sophisticated phishing scams aimed at gaining access to wide swaths of employee W-2s earlier this year. Gaining access to a person’s W-2 is highly desirable to cybercriminals, because they contain nearly all the information needed to file a fraudulent tax return and collect the refund.

What can we learn from this tax scam (and others)?

Unfortunately, the best indicator that someone has been a victim of tax fraud is a rejected return when they attempt to file their taxes. Therefore, data breaches such as this one should be a reminder that the easiest way to prevent tax identity theft from happening to you is to beat scammers to the punch. File your taxes as early as possible, ideally as soon as you receive your W-2s and any other forms you need to file. The earlier you can get your tax forms submitted, the better the chance that you won’t wind up dealing with the IRS to try and get fraud cleared up. Unfortunately, you can’t blindly trust the companies entrusted with your information to keep your data secure. Make sure that in addition to filing early, you also file using a reputable service (if you’re choosing to e-file or work with an in-person tax professional). Every year, thousands of people fall victim to tax scams as a result of dishonest or careless tax professionals.

On a broader scale, it’s also wise to take steps to secure your credit reports. You should consider freezing your credit, or at the very least ensuring that you take advantage of the ability to view all three of your credit reports from the major credit bureaus for free every 12 months through AnnualCreditReport.com. If you want to be able to keep an eye on your credit reports and scores on a more regular basis, consider subscribing to a credit monitoring service. Also, remember that people who don’t have to file taxes are still at risk from tax identity theft. Child identity theft is a growing problem in the U.S., and it’s important for parents to take into consideration the steps necessary to protect their children’s information from being misused by criminals.

To learn more about protecting your identity during tax season as well as all year round, follow our identity theft protection blog.