If you work in payroll or human resources and you get an email from your boss with a friendly “Hi, are you working today?” the IRS says the identities of your company’s entire workforce could be in the cross-hairs of a criminal.
A look at the popular W-2 scam
For the past two tax seasons, scamsters have been running a successful W-2 email phishing scam operation that has tricked major companies like messaging service Snapchat and disk-drive maker Seagate Technology.
Only, it’s not the companies that suffer the greatest harm from this scam — it’s their rank-and-file employees.
Here’s how this scam works: Through business email compromise (BEC) or business email spoofing (BES), criminals pose as top company brass and send emails to payroll professionals asking for copies of W-2 forms for all employees.
Unfortunately, those earnings summaries have more than just salaries and wages on them. They also contain employees’ names, addresses, Social Security numbers and withholding info.
Once an email chain is established between a payroll professional and a crook masquerading as a CEO, the criminal can even follow up with a request for a wire transfer.
Businesses fight back
So what’s a business to do in light of a crime that’s grown exponentially from just 100+ reported cases in 2016 to some 900 in 2017 — and is only likely to grow from here?
The IRS has a few recommendations:
- Companies should limit the number of employees who have authority to handle W-2 requests.
- Anyone authorized to handle W-2 requests should be trained in how to validate the query before turning over the requested info.
Meanwhile, do you believe your organization has already fallen victim to a W-2 scam this year? If so, the IRS has a new protocol in place for you in 2018:
- Email email@example.com to notify the IRS of a Form W-2 data loss
- Use “W2 Data Loss” as the subject line
- Don’t attach personally identifiable information data for any employee
- Be sure to include the following in your email:
- Business name
- Business employer identification number (EIN) associated with the data loss
- Contact name
- Contact phone number
- Summary of how the data loss occurred
- Volume of employees impacted
Finally, vigilance on the part of business owners is the best way to combat this scam. If your business or organization receives a scam request but does not fall victim to it, you can send the full email headers to firstname.lastname@example.org. Be sure to use “W2 Scam” as the subject line so it can be routed properly.