Dangerous Phishing Scam Targeting Employers This Tax Season

Written by: Anthony E. Stewart, Esq.

The Internal Revenue Service (IRS) and state tax agencies are warning employers about one of the most dangerous phishing scams in the tax community. Cybercriminals are targeting organizations nationwide and tricking payroll personnel into disclosing the sensitive personal information of an organization’s entire workforce. Last year, more than 200 employers fell victim to this Form W-2 phishing scam, which compromised the identity of hundreds of thousands of employees.

The IRS has warned that organizations have lost both employees’ W-2s and thousands of dollars in fraudulent wire transfers as a result of the scam. A W-2 contains sensitive personal information, such as an employee’s name, address, social security number, income, and withholdings. If this stolen information is used to create and submit false tax returns or open lines of credit, the organization may also be liable for the resulting identity theft of its employees.

Here’s how it works:

To initiate the scam, an attacker spoofs or hijacks the email account of an organization’s business executive and sends an email to payroll or human resources personnel requesting copies of W-2s for all of the organization’s employees. At first glance, the email appears to be a legitimate request from an executive within the organization. The attacker often will utilize social engineering tactics to convince the target further that this is an authentic request. However, when the target replies with the requested information, his or her response is sent directly to the attacker, resulting in the disclosure of personal information. If the request for the W-2s is successful, the “executive” often follows up with an additional request for a wire transfer. Again, this appears to be a valid request coming from within the organization that often results in a fraudulent wire transfer. More often than not, these funds are unrecoverable.

How to protect your organization from these attacks:

This scam continues to evolve and can fool even the most cautious person. However, there are steps you and your organization can take to reduce the likelihood of becoming the next victim:

Step 1: Educate your employees

Knowledge is power. Share articles like this one with your employees, specifically those in your payroll and HR departments. Let your employees know that this is an active threat and that your organization is a target. Provide training sessions throughout the year to ensure your employees are kept up to date with the latest cyber scams.

Step 2: Implement a policy of verifying all W-2 and wire transfer requests

Any request for sensitive information or to initiate a wire transfer should be independently verified. Employees should not rely on email or other forms of electronic communication to complete this verification process. Instead, the employee should follow up over the phone or, ideally, face-to-face.

Step 3: Protect your network

Not only do you have to worry about a potential data breach and fraudulent wire transfer, but cybercriminals are also taking advantage of this time of year to infect victims with malware. Malware is commonly spread through malicious hyperlinks and email attachments. To help reduce malware infections, install and maintain anti-virus software, firewalls, and email filters. Also, make sure that you keep all of your software up to date.

What to do if you have received a W-2 phishing scam email:

If your organization has lost data to this scam, the IRS may be able to take steps that can help protect your employees from tax-related identity theft. To notify the IRS of W-2 data theft, send an email to dataloss@irs.gov and provide the following information:

  • In the subject line, type “W2 Data Loss.”
  • In the body of the email, include:

o Business name
o Business employer identification number (EIN) associated with the data loss
o Contact name
o Contact phone number
o Summary of how the data loss occurred
o Volume of employees impacted

  • Do not attach or include any employee personally identifiable information data with your report.

To notify the IRS of an attempted W-2 data theft, forward the fraudulent email to phishing@irs.gov and provide the following information:

  • In the subject line, type “W2 Scam”.
  • The IRS needs the email header from the phishing email for its investigation. The headers should be produced in plain ASCII text format. Instructions for retrieving a copy of email headers vary by email provider.
  • Do not attach any employee personally identifiable information data.

After sending the email, the IRS recommends that you file a complaint with the Internet Crime Complaint Center.

These attacks are becoming more and more sophisticated. Attackers are not just targeting Fortune 500 companies. They are attacking organizations across the country ranging from healthcare facilities, small businesses, large corporations, public schools and universities, hospitals, tribal governments, and charities. We anticipate that their frequency will increase, costing organizations millions in stolen data, damage, and downtime. Taking the time now to train your employees and to assess your internal controls is crucial to protect your organization and its employees.