The new scam targeting W-2 information claims thousands more victims as LAZ Parking company now says it’s employees were targeted.
A LAZ spokesperson tells us W-2 information, including the social security numbers of 14,000 LAZ parking employees were stolen.
With the W-2 phishing scam, the thief sends an encrypted email to a human resources employee. The email appears to be from a company CEO., and requests the W-2s of all employees. Since the order appears to come from the boss, the HR person sends the details. The information ends up right the hands of identity thieves.
We spoke to an a LAZ employee off-camera who said she was afraid because she doesn’t know who has her information, or what they plan to do with it.
Department of Revenue Commissioner Kevin Sullivan said Connecticut and other states are bracing for a possible flood of fraudulent tax returns, because the new scam that's now made victims out of both LAZ and Affinion, specifically targets w-2 statements.
“Because what we do is we compare what you say your income is to what the employer says your income is,” said Sullivan. “And if it matches, that’s a verification that you are the tax payer.”
Sullivan said the DRS does use other information to verify identity for tax payers, but adds having actual W-2 information makes it much easier for thieves.
FBI Special Agent Martin McBride said one of the ways companies can fight this scam is by educating their employees. He feels the W-2 phishing scheme is particularly effective because often, employees are reluctant to question who they think is the boss. “They are going to be afraid to go any further and to not comply with this email, so there is a tendency to just do it because it came from the executive,” said McBride. McBride urges employees to verify requests for W-2 before sending them, adding an actual phone call is best when possible.
LAZ said in a statement “They are taking measures such as offering all potentially affected employees 24 months of complimentary identity repair and protection services, including credit monitoring services.”
Anyone who thinks their information has been compromised can contact the State Department of Revenue service and request a red flag on their file.