Protect yourself from tax fraud and identity theft
When you receive your annual W-2 Wage and Tax Statement later this month, you’ll think about doing your taxes. Scammers will think about getting their hands on your personal information.
The IRS estimates that over $8 billion has been stolen by identity thieves over the past few years, with a significant increase in phishing and malware incidents during tax season.
To protect yourself, be wary of any message – especially via email, text or phone – that either claims to provide W-2 or other tax information or asks you to provide it. UC does not send its employees their W-2s by email.
How scammers try to get your information
Last year, these scams came in two forms:
- Extremely authentic-looking emails that explained how to access your W-2 statement. These emails looked almost exactly like genuine UC emails – including the “from” address – but contained a harmful link designed to steal passwords and personal information.
- Emails directed to UC’s financial and payroll employees requesting copies of employee W-2s. These emails requested copies of employee W-2s for review purposes and looked like they were from UC leaders such as the president, chancellor, executive vice chancellor, or head of financial affairs. Last year’s IRS alert explains this phishing scheme: https://www.irs.gov/uac/newsroom/irs-alerts-payroll-and-hr-professionals-to-phishing-scheme-involving-w2s
How to protect yourself
While we don’t know what the scams are going to look like this year, we expect attackers will continue to get craftier. To avoid being scammed:
- To access your W-2 statement, go directly to UCPath instead of clicking on links or attachments in emails. UC does not send W-2s by email. It mails paper W-2s to the employee’s home address, unless the employee has requested an electronic version. Electronic versions of W-2s can only be requested and accessed on the UCPath website.
- Always think twice before sharing financial or identity information (yours or other people’s). Use known contact information to confirm any request for W-2 or other tax information, even if the request looks like it’s from someone you know.
More ways to protect UC’s data and your own
As a reminder, practice the following good habits year-round:
- Always think twice before clicking on links or opening attachments.
- Whenever possible, go to web pages by a path you know is legitimate instead of clicking on a link in a message.
- If an attachment is unexpected, contact the sender by a method you know is legitimate to confirm that they sent it.
- Verify requests for private information (yours or other people’s).
- Protect your passwords:
- Never reveal your password to anyone.
- Use different passwords for different accounts.
- Use different passwords for work and home.
- Store critical files on a drive that gets backed up regularly, or make your own back-ups and store them securely.
- Report all suspicious contacts to your supervisor and UCOP’s ITS department.
- Secure your area and computer before leaving them unattended – even for a minute. Take your phone and other portable devices with you or lock them up.
- Delete sensitive information when you’re done with it. Follow UC retention policies but don’t store information if you don’t need to.
Have questions or need help with an IT issue? Think you’ve received a scam request? Contact the UCOP IT Service Desk in one of the following ways: