Tax forms were due to most taxpayers yesterday (click here for more about due dates), but that doesn’t mean that scammers are taking a break. The Internal Revenue Service (IRS) continues to remind employers to educate their payroll personnel about a form W-2 phishing scam that could make the rounds again in 2018, as well as reminding all taxpayers to be diligent with respect to safeguarding their data.
The IRS issued a similar alert to employers as tax season began last year. The tax agency issued a subsequent urgent alert notifying employers that the phishing scam, which had previously targeted for-profit companies – was targeting school districts, tribal organizations, and nonprofits.
Here’s how the scam works. Fraudsters send a fake email pretending to be from a high-level corporate employee requesting information about employee forms W-2 from a company’s payroll or human resources departments. The emails typically ask for the forms W-2 and earnings summary of all W-2 employees or an updated list of employees with their personal details including Social Security Number (SSN), home address, and salary. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).
Just like that, the scammers can capture all of the data for an entire company. Once the scammers have tricked the company’s payroll or human resources departments into releasing the information, they can use the information to file fraudulent tax returns to obtain bogus tax refunds, or post the information for sale on the Dark Web. In some cases, thieves immediately follow their information request with a request for a wire transfer.
The IRS says that during the last two tax seasons, thieves have tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces. Last year, more than 200 employers were victims of the scam: With entire companies begin targeted, that translated into hundreds of thousands of employees who had their identities compromised.
The IRS has established a special email notification address specifically for employers to report form W-2 data thefts. Affected employers can email email@example.com to notify the IRS of a form W-2 data loss and putting “W2 Data Loss” in the subject line. Those businesses and organizations that received an email but did not experience data loss should send the full email headers to firstname.lastname@example.org and use “W2 Scam” in the subject line.
Employees who believe that their data may have been compromised should file a complaint with the FTC at identitytheft.gov and consider reaching one of the three major credit bureaus (Equifax, Trans Union, or Experian) to place a ‘fraud alert’ on credit records. Additionally, contact your bank and financial institutions, and close any financial or credit accounts that might have been opened without your permission or touched by identity thieves.
If your SSN has been compromised and you know or suspect you are a victim of tax-related identity theft, the IRS recommends that you respond immediately to any IRS notice (call the number provided). You’ll need to complete a federal form 14039, Identity Theft Affidavit, (downloads as a pdf) if your e-filed tax return is kicked back because another return has already been filed with your SSN, or if the IRS tells you to fill out the form.
Remember that these scams are constantly evolving. Other scams that may also be circulating at this time of year include those telephone scams (yes, phones are still ringing with fake calls purporting to be from IRS or the Social Security Administration) and scams targeting tax professionals. Pay close attention. While employers should be alert to any unusual requests for employee data, employees should also be wary of requests for personal information that are out of the ordinary, and all taxpayers are encouraged to regularly monitor their credit history.