OUR THOUGHTS ON:

Payroll Personnel, Beware of W-2 Scam

Cybersecurity|Internal Revenue Service|Tax

By Keith Donnelly

The IRS has urged employers to notify their payroll department of a W-2 phishing scam that affected hundreds of organizations—and hundreds of thousands of their employees—last year. Targets of the scam include small and large businesses, public schools, universities and charities. The IRS hopes to prevent the scam by educating employers and, for those affected by the scam, by providing measures to mitigate its success.

In the scam, cybercriminals research the organization and identify persons of authority (e.g., the Chief Operating Officer in a business). They then use a technique known as business email spoofing to impersonate that individual in email correspondence. In many cases, the perpetrator will begin with a seemingly innocent email, asking if the employee is working today. Thereafter, they will request Form W-2 information for all employees and, if that is received, ask for a wire transfer. The cybercriminal will use the W-2 information to file fraudulent tax returns or place it for sale on the Dark Net.

In addition to educating employers to prevent the scam, the IRS urges businesses to have effective controls in place around the release of private information. For example, businesses should limit the number of employees who can respond to W-2 requests and, when such a request is made, require additional verification from the requestor (such as a telephone call) before sending the W-2.

Unfortunately, many employers do not realize they are victims of the scam until days, weeks or months after it is effectuated. By this time, damage may have occurred. For this reason, employers should timely notify the IRS upon learning they are victims of the scam. Specifically, employers should:

  1. Email “dataloss@irs.gov”;
  2. In the subject line, type “W2 Data Loss”; and
  3. Include in the email: (a) the business name and employer identification number; (b) a contact name and phone number; and (c) a summary of how the data loss occurred and the number of affected employees.

Likewise, victims, or attempted victims, of the scam should send the full email header to “phishing@irs.gov” with “W2 Scam” in the subject line.  

This is merely one of the many cybersecurity threats employers face. The nature and complexity of these attacks continues to evolve, becoming increasingly more difficult to detect. If you have questions about effective cybersecurity, do not hesitate to contact our office. 

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments