IRS to Permit Truncated Social Security Numbers on W-2s to Fight ID Theft in 2021

To help protect people from identity theft, the Internal Revenue Service has issued a final rule that will allow employers to shorten Social Security numbers (SSNs) or alternative taxpayer identification numbers (TINs) on Form W-2 wage and tax statements that are distributed to employees, beginning in 2021.

The IRS published the new rule in the Federal Register on July 3. It finalizes a proposed rule issued in September 2017 with no substantive changes.

Under the regulation, SSNs or other TINs can be masked with the first five digits of the nine-digit number replaced with asterisks or XXXs in the following formats:

• ***-**-1234.
• XXX-XX-1234.

To ensure that accurate wage information is reported to the IRS and the Social Security Administration (SSA), the rule does not permit truncated TINs on W-2 forms sent to those agencies. The IRS said that instructions to W-2 forms will be updated to reflect these regulations and explained that masking the numbers on employees’ forms is not mandatory.

The IRS already allows employers to use truncated TINs on employees’ Form 1095-C for Affordable Care Act reporting and on certain other tax-related statements distributed to employees.

Delayed Applicability Date

The IRS delayed the applicability date of the final rule to apply to W-2 forms that are required to be furnished to employees after Dec. 31, 2020, “so employers still have time to decide whether to implement the change,” according to attorneys at Washington, D.C., law firm Covington & Burling. “The delayed effective date is intended to allow states and local governments time to update their rules to permit the use of truncated TINs, if they do not already do so,” the attorneys wrote.

Concerns

Permitting employers to truncate Social Security numbers on Forms W-2 provided to employees will better protect individuals’ sensitive personal information.

But some fear that the change could hamper accurate reporting to government agencies. Concerns have been raised that employees who already receive masked pay statements will have no means of ensuring that their SSN is entered (and subsequently reported to the SSA and IRS) correctly. According to the SSA website, a SSN correction is a common error and even if an SSN is ‘verified,’ it could still be entered into payroll software incorrectly. The W2 provides a means for the employee to catch that mistake.

The IRS responded that the benefits of allowing employers to protect their employees from identity theft by truncating employees’ SSNs outweighed the risks of unintended consequences, and that many of the potential consequences noted by the commenters could be mitigated by using other methods to verify a taxpayer’s identity and the accuracy of the taxpayers’ information.

Some believe the new rule does not go far enough by making truncated Social Security numbers or other TINs an option rather than a requirement. W-2 forms have been the target of several high-profile breaches, and therefore the IRS should only permit truncated SSNs to protect employees from future breaches  according to the Electronic Privacy Information Center in Washington, D.C.

Beware of Form W-2 Phishing Scheme, Authorities Warn

As tax season begins, the IRS is urging employers to educate their HR and payroll staff about a Form W-2 phishing scam that victimized hundreds of organizations and thousands of employees last year.

“The Form W-2 scam has emerged as one of the most dangerous phishing e-mails in the tax community,” the IRS said in a January 2018 alert. During the last two tax seasons, “cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces,” the alert noted.

Reports about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016, the IRS said. As a result, hundreds of thousands of employees had their identities compromised.

The IRS described the scam as follows:

• Cybercriminals posing as executives send e-mails to payroll personnel requesting copies of Forms W-2 for all employees, using a technique known as business e-mail compromise (BEC) or business e-mail spoofing (BES).

• The Form W-2 contains the employee’s name, address, Social Security number, income and withholdings. Criminals use that information to file fraudulent tax returns, or they post it for sale on the dark net.

• The initial e-mail may be a friendly, “hi, are you working today?” exchange before the fraudster asks for all Form W-2 information.

The IRS gave these examples of what appear to be e-mails from top executives at the organization:

• Kindly reply with all W-2s of our company staff for a quick review. I need them in PDF file type, and you can send it as an attachment.

• Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)? Kindly prepare the lists for me asap.

The scam affected all types of employers last year, from small and large businesses to public schools and universities, hospitals, tribal governments and charities, the IRS said.
(more…)