Tax-W2-Phishing

In the past couple years, business email compromise (BEC) attacks have dramatically increased. As a result, corporate victims of BEC attacks have been increasingly subject to class action litigation on behalf of their employees or customers whose information may have been accessed or disclosed in the BEC attack. This article examines the likelihood of class action litigation from BEC attacks, the judicial results of such litigation, and potential costs associated with settling such litigation.

Likelihood and Success of Litigation

BEC attacks can take many forms, but one of the most prevalent forms involves an email scam designed to obtain employee tax return information. These attacks, known as W-2 phishing attacks, have triggered the majority of the class action litigation relating to BEC attacks and therefore provide a useful basis for analyzing potential litigation from all forms of BEC attacks.

In a W-2 attack, a third-party typically sends company employees an email that appears to be from a company executive. The email will likely ask the employee to reply with the Form W-2 of every company employee, and the employee often complies with the request. Attackers seek employee W-2 forms because information such as the employee's Social Security number and tax withholding can be used to perpetrate fraud against company employees, including identity theft, the filing of fraudulent tax returns, and the opening of fake bank accounts or credit cards. Since 2016, over 375 companies have disclosed that they were the victims of successful W-2 attacks.