Here is an excerpt from the IRS Newswire, cautioning us to be aware of this W-2 Phishing scam:
The W-2 scam has emerged as one of the most dangerous and successful phishing attacks as hundreds of employers and tens of thousands of employees fell victim to the scheme in the past year. This scam is such a threat to taxpayers that a special IRS reporting process has been established.
Because the Security Summit partners have successfully made inroads into stopping stolen identity refund fraud, criminals now need more information to file a fraudulent return. That means they need more accurate data about taxpayers, causing them to target tax practitioners, payroll professionals and employers. The Form W-2 contains income and withholding information necessary to file a tax return.
All employers are at risk. In 2017, the W-2 scam made victims of businesses large and small, public schools and universities, as well as tribal governments, charities and hospitals. The scam, which grows larger each year, will likely make the rounds again in 2018.
The Security Summit warns employers – in public and private sectors – to beware of this scheme and to educate employees, especially those in human resources and payroll departments who are often the first targets.
This is an example of a business email compromise or business email spoofing in which the thief poses as a company executive, school official or someone of authority within the organization. The crook will send an email to one employee with payroll access, requesting a list of all employees and their Forms W-2. The thief may even specify the format in which he wants the information. The subject line has hundreds of variations along the lines of “review,” “manual review” or “request.”
Because payroll officials believe they are corresponding with an executive, it may take weeks for someone to realize a data theft has occurred. Generally, the criminals are trying to quickly take advantage of their theft, sometimes filing fraudulent tax returns within a day or two.
Employers are urged to put steps and protocols in place for the sharing of sensitive employee information such as Forms W-2. One example would be to have two people review any distribution of sensitive W-2 data or wire transfers. Another example would be to require a verbal confirmation before emailing W-2 data. Employers also are urged to educate their payroll or human resources departments about these scams.
Please contact our office with questions or for more information.