Beware of Form W-2 Phishing Scheme, Authorities Warn

As tax season begins, the IRS is urging employers to educate their HR and payroll staff about a Form W-2 phishing scam that victimized hundreds of organizations and thousands of employees last year.

“The Form W-2 scam has emerged as one of the most dangerous phishing e-mails in the tax community,” the IRS said in a January 2018 alert. During the last two tax seasons, “cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces,” the alert noted.

Reports about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016, the IRS said. As a result, hundreds of thousands of employees had their identities compromised.

The IRS described the scam as follows:

• Cybercriminals posing as executives send e-mails to payroll personnel requesting copies of Forms W-2 for all employees, using a technique known as business e-mail compromise (BEC) or business e-mail spoofing (BES).

• The Form W-2 contains the employee’s name, address, Social Security number, income and withholdings. Criminals use that information to file fraudulent tax returns, or they post it for sale on the dark net.

• The initial e-mail may be a friendly, “hi, are you working today?” exchange before the fraudster asks for all Form W-2 information.

The IRS gave these examples of what appear to be e-mails from top executives at the organization:

• Kindly reply with all W-2s of our company staff for a quick review. I need them in PDF file type, and you can send it as an attachment.

• Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)? Kindly prepare the lists for me asap.

The scam affected all types of employers last year, from small and large businesses to public schools and universities, hospitals, tribal governments and charities, the IRS said.

Take Precautions Now

HR professionals need to recognize the form these scams take, including phishing attacks, fraudulent vendor or employee phone calls, and employee theft.

Notably, sophisticated phishing schemes target junior and newly hired professionals the most in order to exploit their eagerness to please and make a good first impression to upper management. Criminals are also monitoring social media accounts to know when to attack, such as when a senior HR manager is on vacation.

In addition to educating payroll or finance personnel, the IRS urged employers to consider:

• Creating a policy to limit the number of employees who have authority to handle Form W-2 requests.

• Requiring additional verification procedures to validate the request before e-mailing sensitive data such as employee Form W-2s.

If you receive an e-mail from upper management, be sure to verify the request. In the end, both  management and employees will appreciate the extra precautions you take.

Notify the IRS

Businesses and organizations that receive a suspect e-mail should send the full e-mail headers to phishing@irs.gov and use “W2 Scam” in the subject line.

In addition, the IRS established a special e-mail notification address for employers to report Form W-2 data thefts. Form W-2 scam victims can notify the IRS as follows:

• E-mail dataloss@irs.gov to notify the IRS of a Form W-2 data loss and provide contact information.

• In the subject line, type “W2 Data Loss” so that the e-mail can be routed properly. Do not attach any employee personally identifiable information data.

• Include the following:

—Business name.

—Business employer identification number (EIN) associated with the data loss.

—Contact name.

—Contact phone number.

—Summary of how the data loss occurred.

—Volume of employees impacted.

Employers can learn more at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.

“Cybercriminals’ scams constantly evolve,” the IRS said. “Finance and payroll personnel should be alert to any unusual requests for employee data.”