Page 41 - Deleware Medical Journal - September/October 2019
P. 41
MSDIS CORNER
How Can We Help?
MSDIS/ USI Insurance Services has a Technology, Privacy, and Network Security Practice group that we can lean on
for expertise and knowledge in cyber/network security. We have access to other training and guidance resources available through insurance carriers, providing you the option of adding on the coverage to current insurance products or purchasing a separate policy. Contact Sharon Ruth at 302-397-0173 or sharon.ruth@usi.com to continue this discussion on how to protect your practice from cybercriminals.
THE IMPACT
Cybercriminals can use the stolen W-2
���� �� ��� ���������� ��� ������� ���
refunds. Employees typically learn they are victims of a phishing scheme when ���� ��� ����� ��� ������ ��� �� �� �������� ������� ��� ������� ���� ������� ���� one.
Many of you may recall when hundreds of physicians and other health professionals in at least 18 states were targets of a nationwide tax fraud. Health care professionals had their identity compromised and had fraudulent federal ������ ��� ������� ���� �� ����� ������
While the federal government and
states are implementing more stringent controls to analyze tax returns and ensure that fraudulent returns are ������� ��� ���� �� ����� ����� ������� ��� impact of identity theft can linger for years, and remediation is expensive and time-consuming for employees. Social Security numbers cannot simply be canceled or changed, like stolen credit cards.
In 2017, 204 companies across the United States fell victim to W-2 phishing schemes or had business emails compromised.
On December 17, 2018, the IRS and its Security Summit partners warned tax professionals of an uptick in phishing emails involving payroll direct deposit and wire transfer scams. The IRS and the Summit partners, consisting of state
revenue departments and tax community partners, are concerned about the rise in these scams — as well as the Form
W-2 scam.
According to the Federal Trade Commission’s Consumer Sentinel Network complaint database for law enforcement:
� Identity theft was the second-highest complaint category in 2017, with 371,061 complaints, or 14% of the overall complaints.
� Tax- or wage-related fraud was the second-most common form of reported identity theft, representing 19% of the overall complaints. Credit card fraud was the top complaint category, at 30%.
BEST PRACTICES TO AVOID BECOMING A VICTIM
The State of Delaware amended its current data breach law, effective April 2018. It
now requires the business to notify affected individuals within 60 days after determining that a breach has occurred. Employees’ �������� ������������� ������� ��� ��� �� ��� ������� ��������� ����������� ����������� factors that trigger the Delaware notice law.
The following tips can help organizations protect themselves and their employees from W-2 phishing schemes:
� Company executives should communicate to all payroll, accounting, and human resources staff that it is acceptable and even expected to question
any and all requests for sensitive employee information such as W-2s.
� Employees should be trained to be
on high alert for suspicious emails with requests for money or sensitive employee information.
� Ask information technology partners to block spoofed emails or implement purpose-built spear-phishing solutions.
� Always authenticate requests for employee information or funds transfer that are received by email or made outside the company’s normal channels.
� If a request comes by email, fax, or mail, verify the information with a phone call. If the request comes by phone, verify it by email.
� ��� ������� ����������� �� ��� �� verify the requestor. Never use the information that comes with the request. It may also be fraudulent.
� Prohibit executive requests for employee information made by email. Encourage staff to contact executives directly to verify requests.
� Require dual authorization for information on employees that contains sensitive information. The initiator and the approver must pay close attention to the request details and authenticate the request before they initiate or approve, to ensure it’s not fraudulent.
Del Med J | September/October 2019 | Vol. 91 | No. 5
233
