Beware of resurgence in this type of phishing scam. Last year’s Form W-2 sham that victimized hundreds of organizations and thousands of employees is predicted to be one of this year’s most onerous problems, according to the IRS and its partners in the Security Summit.
The IRS said that reports about the scam to its email address [email protected] numbered about 900 in 2017 — up sharply from roughly 100 in 2016. The fraudsters tricked payroll employees into revealing sensitive information about the entire company.
How did they do it? The crooks figure out who the big bosses are and use business email to pose as those executives in emails sent to payroll employees, asking for copies of Forms W-2 for all employees. The forms, of course, include employee names, addresses, Social Security numbers, incomes and withholdings.
The crooks use the information to file bogus tax returns — or sell it on the so-called Dark Net. In some cases, the fraudsters asked for a wire transfer after receiving the employees’ information.
The Security Summit partners — which also include state tax agencies and the tax industry — want employers to create a policy that limits the number of people who have the authority to handle Form W-2 requests and that they must require additional verification to validate requests.
That’s to circumvent the problem some businesses faced when they didn’t know about the scam for days or even months.
Content seriesView full content series
Here’s the procedure for employers who report Form W-2 data thefts to the IRS:
- Email [email protected] of a Form W-2 data loss and provide contact information, as listed below.
- In the subject line, type “W2 Data Loss” so that the email can be routed properly. Employers should not include any identifiable information data for employees.
- The email should include the business name, employer identification number connected to the data loss, contact name and phone number, description of how the data loss happened, and how many employees were affected.
Those businesses that only receive a suspicious email but don’t actually turn over any employee information should send the full email headers to [email protected] and use “W2 Scam” in the subject line.
The IRS offers more information on the scam and how to report it to different agencies at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.
About Terry Sheridan
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.