This Month Only! >> $20 off and a FREE SHRM tote with your membership and code TOTE2018!
Sign up for free email newsletters and get more SHRM content delivered to your inbox.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Build competencies, establish credibility and advance your career—while earning PDCs—at SHRM Seminars in 12 cities across the U.S. this spring.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
Educate HR and payroll staff about scam e-mails requesting W-2 data
Members may download one copy of our sample forms and templates for your personal use within your organization. Please note that all such forms and policies should be reviewed by your legal counsel for compliance with applicable law, and should be modified to suit your organization’s culture, industry, and practices. Neither members nor non-members may reproduce such samples in any other way (e.g., to republish in a book or use for a commercial purpose) without SHRM’s permission. To request permission for specific items, click on the “reuse permissions” button on the page where you find the item.
As tax season begins, the Internal Revenue Service is urging employers to educate their HR and payroll staff about a Form W-2 phishing scam that victimized hundreds of organizations and thousands of employees last year.
"The Form W-2 scam has emerged as one of the most dangerous phishing e-mails in the tax community," the IRS said in a January 2018 alert. During the last two tax seasons, "cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces," the alert noted.
Bogus CEO E-Mails
firstname.lastname@example.org about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016, the IRS said. As a result, hundreds of thousands of employees had their identities compromised.
The IRS described the scam as follows:
The IRS gave these examples of what
appear to be e-mails from top executives at the organization:
The scam affected all types of employers last year, from small and large businesses to public schools and universities, hospitals, tribal governments and charities, the IRS said.
Take Precautions Now
"HR professionals need to recognize the form these scams take, including phishing attacks, fraudulent vendor or employee phone calls, and employee theft," said Rick Roddis, president of ComplyRight Tax Solutions in Pompano Beach, Fla.
Notably, sophisticated phishing schemes "have targeted junior and newly hired professionals the most in order to exploit their eagerness to please [and] make a good first impression," he warned. Criminals are also monitoring social media accounts to "know when to attack, such as when a senior HR manager is on vacation."
In addition to educating payroll or finance personnel, the IRS urged employers to consider:
If you receive an e-mail from upper management, verify the request, Roddis advised. "Your management will appreciate the extra precautions you take."
[SHRM members-only policy:
Record-Keeping Policy: Safeguarding Social Security Numbers]
Notify the IRS
Businesses and organizations that receive a suspect e-mail should send the full e-mail headers to
email@example.com and use "W2 Scam" in the subject line.
In addition, the IRS established a special e-mail notification address for employers to report Form W-2 data thefts. Form W-2 scam victims can notify the IRS as follows:
—Business name.—Business employer identification number (EIN) associated with the data loss.—Contact name.—Contact phone number.—Summary of how the data loss occurred.—Volume of employees impacted.
—Business employer identification number (EIN) associated with the data loss.
—Contact phone number.
—Summary of how the data loss occurred.
—Volume of employees impacted.
Employers can learn more at
Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.
"Cybercriminals' scams constantly evolve," the IRS said. "Finance and payroll personnel should be alert to any unusual requests for employee data."
Aliah D. Wright contributed to this article.
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more.
Join/Renew Now and let SHRM help you work smarter.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Please sign in as a SHRM member before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 10,000 companies