Ten days before taxes are due, cyber thieves are making a last ditch effort to commit tax fraud by stealing personal data from hundreds of Stanford employees.
Friday, emails went out to university employees saying 3,500 W-2 forms were downloaded through W2Express, a third-party vendor operated by Equifax. About 600 of these were downloaded illegally.
Stanford leaders declined requests for on-camera interviews, but released a statement saying hackers needed employees’ social security numbers and their dates of birth in order to do this.
“It now appears that the university, among other employers, was a target as a source of W-2 forms,” Stanford’s Vice President for Business Affairs and CFO Randy Livingston wrote in the statement.
Cyber security experts say breaches have become the “third certainty in life.”
“Now you can see how vulnerable we really are,” said Adam Levin, “Swiped” author and IDT911 chairman and founder.
The Stanford alum says an institution or employer can have the most protective security measures in place, “and yet somebody somewhere clicks on the wrong link at the wrong moment.”
Levin says it’s likely the employees won’t know if hackers have used the W-2s to commit tax fraud until one of three things happen: they’re blocked from filing their taxes; their tax refunds never show up; or the IRS sends them a notice saying they underreported their incomes.
One problem is oversharing on social media such as answering quizzes or filling out information like ‘favorite color,’ ‘high school,’ or ‘street you grew up on.’ Hackers can use this information to access your financial information, according to Levin.
“One of the ways to protect yourself is lie,” Levin said, recommending people choose consistency over veracity. “No one’s going to be conducting a background investigation to determine whether or not that’s your mother’s real maiden name.”
Stanford will provide credit monitoring and fraud alerts to employees.
Meantime, Levin says there is little one can do to keep hackers away, save oversharing online and not falling victim to phone scams. He says even credit monitoring systems can’t protect people, but can help alert people to breaches and deal with damage control after their identities are stolen.