The IRS has urged employers to notify their payroll department of a W-2 phishing scam that affected hundreds of organizations—and hundreds of thousands of their employees—last year. Targets of the scam include small and large businesses, public schools, universities and charities. The IRS hopes to prevent the scam by educating employers and, for those affected by the scam, by providing measures to mitigate its success.
In the scam, cybercriminals research the organization and identify persons of authority (e.g., the Chief Operating Officer in a business). They then use a technique known as business email spoofing to impersonate that individual in email correspondence. In many cases, the perpetrator will begin with a seemingly innocent email, asking if the employee is working today. Thereafter, they will request Form W-2 information for all employees and, if that is received, ask for a wire transfer. The cybercriminal will use the W-2 information to file fraudulent tax returns or place it for sale on the Dark Net.
In addition to educating employers to prevent the scam, the IRS urges businesses to have effective controls in place around the release of private information. For example, businesses should limit the number of employees who can respond to W-2 requests and, when such a request is made, require additional verification from the requestor (such as a telephone call) before sending the W-2.
Unfortunately, many employers do not realize they are victims of the scam until days, weeks or months after it is effectuated. By this time, damage may have occurred. For this reason, employers should timely notify the IRS upon learning they are victims of the scam. Specifically, employers should:
- Email “firstname.lastname@example.org”;
- In the subject line, type “W2 Data Loss”; and
- Include in the email: (a) the business name and employer identification number; (b) a contact name and phone number; and (c) a summary of how the data loss occurred and the number of affected employees.
Likewise, victims, or attempted victims, of the scam should send the full email header to “email@example.com” with “W2 Scam” in the subject line.
This is merely one of the many cybersecurity threats employers face. The nature and complexity of these attacks continues to evolve, becoming increasingly more difficult to detect. If you have questions about effective cybersecurity, do not hesitate to contact our office.