Beware of Form W-2 Phishing Scheme, Authorities Warn

Educate HR and payroll staff about scam e-mails requesting W-2 data

By Stephen Miller, CEBS Jan 23, 2018
LIKE SAVE

As tax season begins, the Internal Revenue Service is urging employers to educate their HR and payroll staff about a Form W-2 phishing scam that victimized hundreds of organizations and thousands of employees last year.

"The Form W-2 scam has emerged as one of the most dangerous phishing e-mails in the tax community," the IRS said in a January 2018 alert. During the last two tax seasons, "cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces," the alert noted.

Bogus CEO E-Mails

Reports to phishing@irs.gov about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016, the IRS said. As a result, hundreds of thousands of employees had their identities compromised.

The IRS described the scam as follows:

  • Cybercriminals posing as executives send e-mails to payroll personnel requesting copies of Forms W-2 for all employees, using a technique known as business e-mail compromise (BEC) or business e-mail spoofing (BES).
  • The Form W-2 contains the employee's name, address, Social Security number, income and withholdings. Criminals use that information to file fraudulent tax returns, or they post it for sale on the dark net.
  • The initial e-mail may be a friendly, "hi, are you working today?" exchange before the fraudster asks for all Form W-2 information.

The IRS gave these examples of what appear to be e-mails from top executives at the organization:

  • Kindly reply with all W-2s of our company staff for a quick review. I need them in PDF file type, and you can send it as an attachment.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)? Kindly prepare the lists for me asap.

The scam affected all types of employers last year, from small and large businesses to public schools and universities, hospitals, tribal governments and charities, the IRS said.

Take Precautions Now

"HR professionals need to recognize the form these scams take, including phishing attacks, fraudulent vendor or employee phone calls, and employee theft," said Rick Roddis, president of ComplyRight Tax Solutions in Pompano Beach, Fla.

Notably, sophisticated phishing schemes "have targeted junior and newly hired professionals the most in order to exploit their eagerness to please [and] make a good first impression," he warned. Criminals are also monitoring social media accounts to "know when to attack, such as when a senior HR manager is on vacation."

In addition to educating payroll or finance personnel, the IRS urged employers to consider:

  • Creating a policy to limit the number of employees who have authority to handle Form W-2 requests.
  • Requiring additional verification procedures to validate the request before e-mailing sensitive data such as employee Form W-2s.

If you receive an e-mail from upper management, verify the request, Roddis advised. "Your management will appreciate the extra precautions you take."

[SHRM members-only policy: Record-Keeping Policy: Safeguarding Social Security Numbers]

Notify the IRS

Businesses and organizations that receive a suspect e-mail should send the full e-mail headers to phishing@irs.gov and use "W2 Scam" in the subject line.

In addition, the IRS established a special e-mail notification address for employers to report Form W-2 data thefts. Form W-2 scam victims can notify the IRS as follows:

  • E-mail dataloss@irs.gov to notify the IRS of a Form W-2 data loss and provide contact information.
  • In the subject line, type "W2 Data Loss" so that the e-mail can be routed properly. Do not attach any employee personally identifiable information data.
  • Include the following:

—Business name.

—Business employer identification number (EIN) associated with the data loss.

—Contact name.

—Contact phone number.

—Summary of how the data loss occurred.

—Volume of employees impacted.

Employers can learn more at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.

"Cybercriminals' scams constantly evolve," the IRS said. "Finance and payroll personnel should be alert to any unusual requests for employee data."

Aliah D. Wright contributed to this article.

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.


LIKE SAVE

Job Finder

Find an HR Job Near You
Post a Job

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect