Protect Yourself from Tax Fraud

Esther Silver's picture

By Julie Goldstein, Cyber-Risk IT Security Analyst, UCOP. Reprinted with minor edits from the UC IT Blog

The New Year brings the start of tax season, and W-2 Wage and Tax Statements will be available soon. With them will likely come a wave of scams from attackers trying to get their hands on your personal information.

The IRS estimates that identity thieves have stolen more than $8B over the past few years, and the 2016 tax season saw a significant increase in phishing and malware incidents. UC is not immune.

Be wary of any message asking for W-2 or other tax information. Last year, these scams primarily came in two forms:

  1. Extremely authentic looking emails impersonating UC communications about how to access your W-2 statement.
    • These emails looked almost exactly like the genuine UC emails – including the “from” address – but contained a harmful link designed to steal passwords and personal information.
  2. Emails directed to financial and payroll employees requesting copies of employee W-2s.
    • These emails looked like they were from executive management, such as the UC president, the campus chancellor or executive vice chancellor, or the head of Financial Affairs, and requested copies of employee W-2s for review purposes. See this IRS alert from last year.

Protect yourself

We don’t know what the scams are going to look like this year, but expect attackers will only get craftier. Protect yourself this tax season by doing the following.

  • To access your W-2 statement, go directly to UC’s At Your Service or UCPath website (whichever your location uses) instead of clicking on a link in an email.
  • Use known contact information to verify any request for W-2 or other tax information, even if it looks like it’s from someone you know.

Get into the habit

In general, you should always practice the following good habits so you reduce the risk of getting scammed.

  1. Always think twice before clicking on links or opening attachments.
    • Whenever possible, go to web pages by a path you know is legitimate instead of clicking on a link in a message.
    • If an attachment is unexpected, contact the sender by a method you know is legitimate to confirm they sent it.
  2. Verify requests for private information (yours or other people’s).
  3. Protect your passwords:
    • Never reveal your password to anyone.
    • Use different passwords for different accounts.
    • Use different passwords for work and non-work.
    • Click “no” when websites or apps ask to remember your password.
  4. Back up critical files:
    • Make sure you store copies of critical files on a drive that gets backed up regularly, or make your own backups and store them securely.
  5. If it’s suspicious, report it!

       6. Secure your area and computer before leaving them unattended – even just for a second.

  • Take your phone and other portable items with you or lock them up.

       7. Delete sensitive information when you are done with it.

UCSF IT Security also recommends you use the UCSF IT Security Suite  on all computers used for UCSF Business.  It ensures your computer is patched, encrypted and protected form viruses and malware.  Also, back up service (CrashPlan Pro) is offered at no additional charge, to all ITFS supported desktops and laptops as part of the ITFS Basic Support, and to UCSF Medical Center supported laptops -

For additional information on how to protect yourself and UCSF from Phishing attempts, please go to Protect UCSF and Myself from Phishng Attempts.

To join the UC IT Blog, created to build a UC IT community to share other informative articles, stories, etc, please go to the UC IT Blog.