The IRS is strongly urging employers to educate their payroll personnel on phishing scams involving Form W-2. According to a statement from the agency, more than two hundred organizations fell victim to the scam last year impacting thousands of employees.
How it works
In a W-2 phishing scam, cybercriminals send emails to a company’s employees — typically in payroll, benefits or human resources departments — that claim to be from the company’s management. The emails request a list of employees along with their W-2 forms, Social Security numbers or other confidential data.
Here are some examples straight from the IRS:
“Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
“Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
If the employee responds, criminals can use this information to file fraudulent tax returns in the employees’ names, seeking refunds.
The scam is particularly nefarious because the employees it targets probably believe that, in complying with the emailed instructions, they’re doing exactly what they’re supposed to. Moreover, at first glance, the emails typically appear legitimate. Many contain the company’s logo and the name of an actual executive, typically captured from publicly available information.
The increasing number of such scams prompted the IRS to issue an alert in 2016: “IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s.”
Education is key
While these scams have become more prevalent, businesses can take steps to reduce their risk. Because the scams target humans, rather than the technology itself, education is key. Inform all employees, and particularly those in areas that handle sensitive data, of the scams. Remind them not to click on links or download attachments from emails that were unsolicited or sent by those they don’t know.
Employees often are nervous about questioning a request that appears to come from upper management, so encourage employees to double-check any request for sensitive information, no matter who appears to be making it. They should do this not by responding to the email in question, but by talking with a trusted supervisor or colleague.
Don’t fall victim
Technology has a role to play as well. Install robust antivirus and spam filters and keep them updated. Along with education, the IRS is also urging employers to create a policy which limits the number of employees who have access to Form W-2 requests and create verification procedures to validate the actual request before emailing sensitive data.
The IRS is asking businesses and organizations who receive a suspected phishing scam email to send the full email headers to firstname.lastname@example.org and use “W2 Scam” in the subject line.
Reporting data loss
The IRS does have a special email address for employers to report Form W-2 data thefts. Below is a list of steps you need to take immediately after realizing you were scammed:
- Email email@example.com to notify the IRS of a Form W-2 data loss and provide contact information, as listed below.
- In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.
- Include the following:
- Business name
- Business employer identification number (EIN) associated with the data loss
- Contact name
- Contact phone number
- Summary of how the data loss occurred
- Volume of employees impacted
With sensible precautions in place and educating employees, businesses can reduce the risk of falling victim to W-2 phishing scams.