The Internal Revenue Service (IRS) and the Federal Bureau of Investigation (FBI) recently warned payroll and human resources professionals of a dangerous Form W-2 phishing scam that victimized hundreds of organizations and thousands of employees during the last two tax seasons—and this season is no different.
The scam goes like this: Cybercriminals identify your company’s chief operating officer or other high-level executives, pose as the executive and send emails to payroll personnel. In these emails, the fraudsters request copies of employee Forms W-2 or ask for a list of all employees and Social Security numbers (SSNs). Using a technique called business email compromise or business email spoofing, these emails look like they were sent from within your organization.
No Typical Email
According to the IRS, the initial email may be a friendly, “Hi, are you working today?” type of exchange before the fraudster asks for all Form W-2 information. But that isn’t always the case.
Last year, one actual email simply asked payroll, “[S]end me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary) as of 2/22/2016.”
Criminals then use the stolen personal information and data on the W-2s, such as SSNs, to file fraudulent tax returns for refunds. Or they sell the information on the “Dark Net.”
Last year’s scams affected all types of employers—small and large businesses, public schools and universities, hospitals, tribal governments and charities. In 2017, reports about this scam to firstname.lastname@example.org from victims and nonvictims jumped to approximately 900, up from 100 the previous year. More than 200 employers were victimized in 2017, which translated into hundreds of thousands of employees who had their identities compromised.
Employers need to educate payroll, HR and finance personnel of the W-2 scam. The IRS also urges employers to:
• Consider limiting the number of employees who have authority to handle Form W-2 requests; and
• Require additional verification procedures to validate the actual request before emailing sensitive data such as employee Form W-2s.
Employers also should immediately notify the IRS if they are victimized. The IRS can then take steps to help prevent employees from being victims of tax-related identity theft. Unfortunately, because of the nature of these scams, some businesses and organizations don’t realize for days, weeks or months that they were scammed.
The IRS has a special email notification address specifically for employers to report Form W-2 data thefts. Here’s how Form W-2 scam victims can notify the IRS:
• Email email@example.com to notify of the data loss and provide contact information, as listed below.
• In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.
• Include the following:
• Business name;
• Business employer identification number associated with the data loss;
• Contact name;
• Contact phone number;
• Summary of how the data loss occurred;
• Volume of employees impacted.
Businesses and organizations that fall victim to the scam and/or organizations that only receive a suspect email but do not fall victim to the scam should send the full email headers to firstname.lastname@example.org and use “W2 Scam” in the subject line.
Employers can learn more at the IRS webpage on Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.
A February 21 press release from the FBI Internet Crime Complaint Center, ic3.gov, provides additional information about how to report the situation to state tax agencies and other law enforcement officials.