How to Be Vigilant Against W-2 Phishing Scams and Requesting Tax Sensitive Information and Wire Transfer Requests
With the rapid influx of W-2 phishing scam reports, the Internal Revenue Service (IRS) and state tax agencies have issued a serious threat alert applicable to all businesses and organizations.
Both corporate and not-for-profit entities are at risk, and as such are being advised to be vigilant and guarded against the recent uptick in W-2 scammers who are stealing employee information, as well as implementing wire transfer schemes.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.
Employers are advised to report W-2 thefts immediately to the IRS so that they can effectively protect employees from identity theft.
There are a number of safeguards being utilized by the Security Summit (a partnership between the IRS, state security agencies and the tax industry) that can identify fraudulent returns filed through scams.
How the W-2 Scam Works:
Business email spoofing techniques, where criminals send emails appearing to be from an executive’s email address within that organization, are sent to employees in payroll or human resources departments. The cybercriminals, posing as the executives, request employee lists as well as their W-2 Forms.
Safeguarding Your Organization:
All employees should be informed and on high alert for the W-2 scam. The Security Summit is seeing a surge of this scam activity, affecting corporations and organizations more broadly, and in some cases, repeatedly.
Organizations should also be careful with emails appearing to be from executives – specifically to payroll or comptrollers – requesting a wire transfer to an account. This additional request has often accompanied the W-2 scam email and has resulted in thousands of dollars lost.
To proactively avert being victimized, organizations should share this alert with payroll, human resources and finance employees. You should also consider setting up an internal verification system for W-2 and wire transfer requests to safeguard against these scams.
Reporting the W-2 Scam
- Employers: If your organization receives a W-2 scam email, immediately forward it to firstname.lastname@example.org with a subject line that says “W2 Scam.” Should you receive, or fall victim to, a scam email, file a complaint with the FBI’s Internet Crime Complaint Center (IC3).
- Employees: If an individual’s Forms W-2 have been stolen, each affected employee should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
They will need to file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return rejects due to a duplicate Social Security number or per IRS instructions.