By Julie Goldstein, Cyber-Risk IT Security Analyst, UCOP. The New Year brings the start of tax season, and W-2 Wage and Tax Statements will be available soon. With them will likely come a wave of scams from attackers trying to get their hands on your personal information.
The IRS estimates that identity thieves have stolen more than $8B over the past few years, and the 2016 tax season saw a significant increase in phishing and malware incidents. UC is not immune.
Be wary of any message asking for W-2 or other tax information. Last year, these scams primarily came in two forms:
- Extremely authentic looking emails impersonating UC communications about how to access your W-2 statement.
- These emails looked almost exactly like the genuine UC emails – including the “from” address – but contained a harmful link designed to steal passwords and personal information.
- Emails directed to financial and payroll employees requesting copies of employee W-2s.
- These emails looked like they were from executive management, such as the UC president, the campus chancellor or executive vice chancellor, or the head of Financial Affairs, and requested copies of employee W-2s for review purposes. See this IRS alert from last year.
Protect yourself
We don’t know what the scams are going to look like this year, but expect attackers will only get craftier. Protect yourself this tax season by doing the following.
- To access your W-2 statement, go directly to UC’s At Your Service or UCPath website (whichever your location uses) instead of clicking on a link in an email.
- Use known contact information to verify any request for W-2 or other tax information, even if it looks like it’s from someone you know.
Get into the habit
In general, you should always practice the following good habits so you reduce the risk of getting scammed.
- Always think twice before clicking on links or opening attachments.
- Whenever possible, go to web pages by a path you know is legitimate instead of clicking on a link in a message.
- If an attachment is unexpected, contact the sender by a method you know is legitimate to confirm they sent it.
- Verify requests for private information (yours or other people’s).
- Protect your passwords:
- Never reveal your password to anyone.
- Use different passwords for different accounts.
- Use different passwords for work and non-work.
- Click “no” when websites or apps ask to remember your password.
- Back up critical files:
- Make sure you store copies of critical files on a drive that gets backed up regularly, or make your own backups and store them securely.
- If it’s suspicious, report it!
- Go to your supervisor and use your location’s reporting channels.
- Secure your area and computer before leaving them unattended – even just for a second.
- Take your phone and other portable items with you or lock them up.
- Delete sensitive information when you are done with it.
- Better yet, don’t store it in the first place if you don’t need to.
- Follow the UC records retention schedule.