As part of its “Don’t Take the Bait” campaign, the IRS is warning tax professionals of emails that target employees’ W-2 forms, following a fourfold increase in such cases during the 2017 filing season.
The scam, called business email compromise (BEC), “is one of the most dangerous phishing email schemes trending nationwide from a tax administration perspective,” the IRS said.
A BEC happens when a crook impersonates a company executive’s email address and makes a request to a payroll, financial or human resources staffer. Fraudsters, for example, will try to trick the employee into transferring funds into a specified account or request a list of employees and their W-2s.
“These are incredibly tricky schemes that can be devastating to a tax professional or business,” said IRS Commissioner John Koskinen in a statement. “Cybercriminals target people with access to sensitive information, and they cleverly disguise their effort through an official-looking email request.”
Earlier this year, the FBI reported a 1,300 percent rise in losses, including more than $3 billion in wire transfers, since January 2015. The culprits were found to be national and international organized crime groups who targeted businesses nationwide and in 100 other countries.
During last year’s tax-filing season, the IRS first warned that the scam was targeting tax administration and using BECs to get employees’ W-2s. The crooks then immediately filed bogus tax returns mirroring the actual income that the employees got. That, in turn, made the fraud more difficult to detect.
This year, the IRS has seen the W-2 scam increase to 200 from 50 in 2016. Targets include businesses, public schools, universities, tribal governments and nonprofits. The scams resulted in several hundred thousand employees having their personal data stolen.
Further, the W-2s can be posted on what’s called the “Dark Net” for criminals’ benefit.
While the IRS can help prevent employees from being victims, the problem is that businesses often don’t realize for weeks or months that they’ve been scammed.
Businesses that have encountered BECs can report W-2 thefts to the IRS at [email protected]. Put “W-2 scam” in the subject line and include a contact name in the email.
Businesses that encounter a BEC without being scammed can forward it to [email protected] with W-2 in the subject line.
Tax professionals who encounter or seek to prevent BECs should do the following:
- Confirm requests for Forms W-2, wire transfers or any sensitive data exchanges verbally, using known telephone numbers, not telephone numbers listed in the email.
- Verify requests for location changes in vendor payments and require a secondary sign-off by company personnel.
- Educate employees about this scam, particularly those with access to sensitive data such as W-2s or with authorization to make wire transfers.
- Consult with an IT professional and create an intrusion-detection system that flags emails with extensions similar to company email, such as the legit abc_company.com instead of the bogus abc-company.com; establish an email rule that flags a “reply” email address that differs from the “from” address; and color-code emails so that those from employees and internal accounts are one color and emails from external sources or nonemployees are another.
Aside from notifying the IRS, BEC victims should file a complaint with the FBI at the Internet Crime Complaint Center (IC3).
About Terry Sheridan
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.