Page 1 of 1
As tax season begins, the IRS is urging employers to educate their HR and payroll staff about a Form W-2 phishing scam that victimized hundreds of organizations and thousands of employees last year.
“The Form W-2 scam has emerged as one of the most dangerous phishing e-mails in the tax community,” the IRS said in a January 2018 alert. During the last two tax seasons, “cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces,” the alert noted.
Reports about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016, the IRS said. As a result, hundreds of thousands of employees had their identities compromised.
The IRS described the scam as follows:
The IRS gave these examples of what appear to be e-mails from top executives at the organization:
The scam affected all types of employers last year, from small and large businesses to public schools and universities, hospitals, tribal governments and charities, the IRS said.
A number of employers have recently fallen victim to a phishing scam that tricks them into disclosing highly sensitive employee information to unknown third parties. Make sure to warn your Human Resources and Payroll Departments to be on the alert so that your company doesn’t get added to the ranks of those swindled.
In the wake of tax season, multiple businesses have reported receiving spoofing emails, usually sent to Payroll and Human Resources departments / personnel. The emails appear to be requests from in-house high-level company executives, including in some instances the CEO, requesting that employee W-2 tax forms be transmitted to them for various administrative purposes. In reality, these emails are phishing expeditions sent by outside data thieves, who use cloned company email addresses with authentic-looking company logos, colors, and signatures.
If the recipients are deceived into thinking the emails are legitimate company correspondence, they will comply with the request and end up delivering W-2 forms to the scam artists. These forms contain a treasure trove of employee personal data, including Social Security numbers and other personally identifiable information. The successful hackers often use the data obtained from this phishing scam to file fraudulent tax returns on behalf of company employees.
If you believe your company is a victim of this scam, you may have a legal obligation to follow applicable data breach notification requirements. Besides determining your legal responsibilities, which vary from state to state, you should consider encouraging your employees to monitor their credit reports and take all of the usual measures to prevent identity theft. You should also suggest they file their tax returns as soon as possible in an effort to avoid the filing of fraudulent tax returns on their behalf.