On Jan. 17, the IRS issued a warning to all employers to beware the Form W-2 phishing scam that has made victims of hundreds of organizations and thousands of employees over the past two tax seasons.
Read the IRS’ full release here.
Within its release, the IRS explains the scam as such:
". . . Cybercriminals do their homework, identifying chief operating officers, school executives or others in positions of authority. Using a technique known as business email compromise (BEC) or business email spoofing (BES), fraudsters posing as executives send emails to payroll personnel requesting copies of Forms W-2 for all employees.
The initial email may be a friendly, “hi, are you working today” exchange before the fraudster asks for all Form W-2 information. In several reported cases, after the fraudsters acquired the workforce information, they immediately followed that up with a request for a wire transfer.”
What You Can Do
The IRS advises all employers to educate their payroll and finance personnel on how to identify and handle a fraudulent request, should one be made, and urges businesses to consider limiting the number of employees who have authority to handle Form W-2s.
Having some type of verification procedure in place when emailing sensitive employee data can also help mitigate risks, suggests the IRS. This is especially critical, it warns, given the constantly evolving nature of cyber scams.
How to Report
If your business falls victim to a W-2 scam, there are steps you can take that may help protect your employees from tax-related identity theft. According to the IRS, businesses should notify the IRS immediately of W-2 data thefts by doing the following:
- Email email@example.com to notify the IRS of a Form W-2 data loss and provide contact information, as listed below.
- In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.
- Include the following:
- Business name
- Business employer identification number (EIN) associated with the data loss
- Contact name
- Contact phone number
- Summary of how the data loss occurred
- Volume of employees impacted
Businesses are also advised to contact the Federation of Tax Administrators and the FBI’s Internet Crime Complaint Center to report data loss. For detailed information, view the IRS’ Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.
For those businesses that receive a fraudulent email but do not fall victim to the scam, they should forward the email to firstname.lastname@example.org with the subject line “W2 Scam.” Detailed steps can be found in Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.