Phone and e-mail scams are a hot topic these days. Many of us have received one of those threatening calls. Some scammers even pose as IRS agents. Recently, the IRS and state tax agencies alerted employers to an insidious scam to “phish” for W-2 payroll information and steal employees’ identities.
This W-2 email phishing scam has evolved beyond the corporate world and is spreading to other sectors, including schools and nonprofits. The W-2 scam is a “twist” on the old scheme where scammers phish for wire transfer instructions by sending an e-mail to accounting staff. Some organizations have been caught in both scams and lost twice.
The IRS Commissioner, John Koskinen, stated: “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.’’
Here’s how the scam works: Cybercriminals disguise an email to make it appear to be from an organization executive. The email is sent to an employee in the payroll or human resources department, requesting a list of employees and their Forms W-2. This scam first appeared last year and is circulating again this tax season. Businesses that were hit last year are reportedly being phished again this year.
What to do if your organization gets phished? The IRS wants employers to report W-2 thefts immediately at https://www.irs.gov/uac/report-phishing so they can take steps to help protect employees from tax-related identity theft. Report all unsolicited email claiming to be from the IRS or an IRS-related function to [email protected].
Bottom line? Don’t get phished! Verify the e-mail sender before clicking on a link or providing any information.