Beware of the Current W-2 Email Scam

Beware of the Current W-2 Email Scam

There is a new email scam for small businesses to be aware of as W-2 season approaches. This scam is such a serious concern that the IRS has developed five ways to report if you are a victim of this particular identity theft.

W-2 Scam

At the end of the year, employers are preparing W-2s to send out to employees. Each W-2 contains a wealth of sensitive data. They include employee Social Security Numbers, income information, and addresses – exactly what a thief would need to file a false tax return. Because this is a mandatory and common form, all employers are targets for the W-2 scam.

This particular scam is a very simple email exchange. Someone in your payroll or human resources department receives an email, and it will look like it’s from an executive or a leader of the organization. It will start with a harmless and normal conversation, such as “hey, are you in today?”

Of course, if you get an email and it looks like it’s from your boss, you’re going to respond, right? So you do and the conversation continues. By the end of the email exchange, your “boss” will have asked for a copy of the W-2s so they can review everything.  But if it was actually someone posing as your boss, all of  your organization’s W-2 for their employees may be in the hands of cybercriminals.

What makes it worse is that since the payroll officials believe they are corresponding with an executive, it may take weeks for someone to realize a data theft has occurred. Generally, the criminals are trying to quickly take advantage of their theft, sometimes filing fraudulent tax returns within a day or two.

If You’ve Been Scammed

This scam is such a threat to taxpayers that a special IRS reporting process has been established. Here’s a list of how a business should report these schemes. They should:

  1. Email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type “W2 Data Loss” so that the email can be routed properly. The business should not attach any employee personally identifiable information data.
  2. Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
  3. File a complaint with the FBI’s Internet Crime Complaint Center. Businesses and payroll service providers may be asked to file a report with their local law enforcement agency.
  4. Notify employees. The employee may then take steps to protect themselves from identity theft. The Federal Trade Commission’s www.identitytheft.gov provides guidance on general steps employees should take.
  5. Forward the scam email to phishing@irs.gov.

Preventative Measures

The IRS is urging employers to put steps and protocols in place for the sharing of sensitive employee information such as Forms W-2.

One example would be to have two people review any distribution of sensitive W-2 data or wire transfers. Another example would be to require a verbal confirmation before emailing W-2 data.

Employers should also educate their payroll or human resources departments about these scams, so be sure to share this information with your payroll and HR department. If you work in one of these departments, it’s always a safer option to pick up the phone to call and ask if this information is really being requested. A short phone call is much better a loss of data. As always, contact us if you have any questions!