Employers are being warned to be wary of W2 phishing scams this tax season. The past two years have seen hundreds of employers scammed into disclosing the W2 forms of their employees. The credentials on the forms were subsequently used to file false tax returns. This year is likely to be no different.
Last year, accounts department and payroll staff were targeted with W2 phishing scams, using an attack method termed business email compromise or BEC. The BEC scams involve the impersonation of the CEO or another C-suite executive, with email requests sent to accounts department and payroll staff asking for copies of W2 forms for employees who worked for the company during the past fiscal year.
The emails are convincing as they appear to come from within the company from a known email address. Many payroll and accounts department staff fell for the scam and emailed the data as requested. Companies, educational institutions, healthcare providers, tax professionals, and charities were all targeted. The IRS says more than 200 employers disclosed their employees’ details to scammers last year. Hundreds of thousands of employees had their tax information disclosed, and many suffered considerable losses as a result.
Employers should educate their accounts and payroll staff about W-2 phishing scams and implement policies that require any email request for employee data to be verified before responding. Verification should by made in person or via telephone, not via email. Scammers have been known to converse with accounts staff via email and convince them that the request is genuine. A ban on sending tax information via email should also be considered.
It is important that W2 phishing scams are reported. Anyone receiving a scam email should send the message to the IRS at – firstname.lastname@example.org – with the subject line “W2 Scam”.
Any employer that falls for such a scam should alert the IRS immediately to allow action to be taken to prevent tax fraud. An email, with the subject line “W2 Data Loss” should be sent to the following email address – email@example.com – with a brief explanation of what happened. No employee data should be sent via email.