As tax season begins, the IRS is urging employers to educate their HR and payroll staff about a Form W-2 phishing scam that victimized hundreds of organizations and thousands of employees last year.
“The Form W-2 scam has emerged as one of the most dangerous phishing e-mails in the tax community,” the IRS said in a January 2018 alert. During the last two tax seasons, “cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces,” the alert noted.
Reports about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016, the IRS said. As a result, hundreds of thousands of employees had their identities compromised.
The IRS described the scam as follows:
The IRS gave these examples of what appear to be e-mails from top executives at the organization:
The scam affected all types of employers last year, from small and large businesses to public schools and universities, hospitals, tribal governments and charities, the IRS said.
Take Precautions Now
HR professionals need to recognize the form these scams take, including phishing attacks, fraudulent vendor or employee phone calls, and employee theft.
Notably, sophisticated phishing schemes target junior and newly hired professionals the most in order to exploit their eagerness to please and make a good first impression to upper management. Criminals are also monitoring social media accounts to know when to attack, such as when a senior HR manager is on vacation.
In addition to educating payroll or finance personnel, the IRS urged employers to consider:
If you receive an e-mail from upper management, be sure to verify the request. In the end, both management and employees will appreciate the extra precautions you take.
Notify the IRS
Businesses and organizations that receive a suspect e-mail should send the full e-mail headers to firstname.lastname@example.org and use “W2 Scam” in the subject line.
In addition, the IRS established a special e-mail notification address for employers to report Form W-2 data thefts. Form W-2 scam victims can notify the IRS as follows:
—Business employer identification number (EIN) associated with the data loss.
—Contact phone number.
—Summary of how the data loss occurred.
—Volume of employees impacted.
Employers can learn more at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.
“Cybercriminals’ scams constantly evolve,” the IRS said. “Finance and payroll personnel should be alert to any unusual requests for employee data.”