It appears the bad guys are after our payroll information again. The IRS, and state tax agencies in Michigan, Colorado, Maryland and Rhode Island are urging all payroll personnel to be wary and to educate themselves about a Form W-2 phishing scam that made victims of hundreds of organizations and thousands of employees in 2017. I blogged about this last year but it bears repeating with the new W-2 submission deadline looming. Here’s how the scam works: cyber criminals do their homework, identifying chief operating officers, school executives or others in positions of authority. Using a technique known as business email compromise (BEC) or business email spoofing (BES), fraudsters posing as executives send emails to payroll personnel requesting copies of Forms W-2 for all employees. The bad guys are using the information to file fraudulent tax returns, or they are posted for sale on the Dark Net.
The initial email may be a friendly, “hi, are you working today” exchange before the fraudster asked for all W-2 information. In several reported cases, after the fraudsters acquired the workforce information, they immediately follow up that request with a wire transfer. The IRS is hoping that by alerting employers and payroll professionals now it can limit the success of this scam in 2018. They have also created a new process by which employers should report the scams. There are steps the IRS can take to protect employees, but only if the agency is notified immediately by the employers about the theft.
The IRS is also suggesting that employers consider creating a policy to limit the number of employees who have the authority to handle Form W-2 requests and that they require additional verification procedures to validate the actual request before emailing sensitive data such as an employee’s Form W-2.
The IRS has established a special email notification address specifically for employers to report Form W-2 data thefts. Here’s how the Form W-2 scam victims can notify the IRS:
- Email firstname.lastname@example.org to notify the IRS of a Form W-2 data loss and provide contact information as listed below
- In the subject line, type “W-2 Data Loss” so that the email can be routed properly. Do not attach any employee personal identifiable information data.
- Include the following:
- business name
- business employer identification number (EIN) that is associated with the data loss
- contact name
- contact phone number
- summary of how the data loss occurred
- volume of employees impacted by the data loss
Businesses and payroll professionals that only receive a suspect email but do not fall victim to the scam should send the full email headers to email@example.com and use “W-2 Scam” in the subject line. But payroll professionals as well as finance departments should be alert to any unusual request for employee data. Cyber criminals and their scams are constantly evolving.