Payroll departments and businesses beware of a recent increase in email scams targeting obtaining employee Forms W-2. A prevalent W-2 scam, called a business email compromise (BEC), is one of the most dangerous phishing email schemes trending nationwide. The IRS saw a sharp increase in the number of incidents and victims during the 2017 filing season.
A business email compromise occurs when a cybercriminal can “spoof” or impersonate a company or organization executive’s email address and target a payroll, financial or human resources employee with a request. For example, fraudsters will try to trick an employee to transfer funds into a specified account or request a list of all employees and their Forms W-2. It’s important to be on the alert this time of year as the criminals will immediately file a fraudulent tax return that tends to mirror the actual income received by employees and has the correct withholding amounts. Then, it can also be posted for sale on the Dark Net, where other criminals also seek to profit once again from these thefts.
In 2017, the IRS saw the number of businesses, public schools, universities, tribal governments and nonprofits victimized by the W-2 scam increase to 200 from 50 in 2016. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen. In some cases, the criminals requested both the W-2 information and a wire transfer. Businesses with large payrolls, or who process payrolls on behalf of clients are very much at risk.
If a business or organization is victimized by these attacks, it should quickly notify the IRS. The IRS will take steps to help prevent employees from being victims of tax-related identity theft. However, because of the nature of these scams, many businesses and organizations did not realize for days, weeks or months that they had been scammed. Reporting of such attacks should be made to a special email notification address specifically for businesses and organizations to report W-2 thefts: dataloss@irs.gov. Be sure to include “W-2 scam” in the subject line and information about a point of contact in the body of the email.
Protecting ourselves from BECs
First off, we all must beware of the threat to our own systems and to educate each other about the existence of BEC scams. Employers, especially payroll departments, should review their policies for sending sensitive data such as W-2s or making wire transfers based solely on an email request.