As tax season starts, the Internal Revenue Service is asking employers to educate their payroll personnel about a Form W-2 phishing scam that effected hundreds of organizations and thousands of employees last year.

What is the Form W-2 Scam?

“The Form W-2 scam has emerged as one of the most dangerous phishing e-mails in the tax community,” the IRS said in a recent update. During the last two tax seasons, “cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces,” the alert noted.

Reports to phishing@irs.gov about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016, the IRS said. As a result, hundreds of thousands of employees had their identities compromised.

The IRS described the scam as follows:

  • Cybercriminals pose as executives and send emails to payroll personnel asking for copies of Form W-2 for all employees. This technique is sometimes known as business e-mail compromise (BEC) or business e-mail spoofing (BES).
  • The Form W-2 contains the employee’s name, address, Social Security number, income and withholdings. Cybercriminals then use the information to file fraudulent tax returns, or they post the data for sale on the dark net.

The scam affected all types of employers last year, from small and large businesses to public schools and universities, hospitals, tribal governments and charities, the IRS said.

What can I do to protect my business from the scam?

In addition to educating payroll or finance personnel, the IRS urged employers to consider:

  • Creating a policy to limit the number of employees who have authority to handle Form W-2 requests.
  • Requiring additional verification procedures to validate the request before e-mailing sensitive data such as employee Form W-2s.

What should I do if my business becomes a victim of the scam?

Businesses and organizations that receive a suspect e-mail should send the full e-mail headers to phishing@irs.gov and use “W2 Scam” in the subject line.

In addition, the IRS established a special e-mail notification address for employers to report Form W-2 data thefts. Form W-2 scam victims can notify the IRS as follows:

  • E-mail dataloss@irs.gov to notify the IRS of a Form W-2 data loss and provide contact information.
  • In the subject line, type “W2 Data Loss” so that the e-mail can be routed properly. Do not attach any employee personally identifiable information data.
  • Include the following:
      • Business name
      • Business employer identification number (EIN) associated with the data loss
      • Contact name
      • Contact phone number
      • Summary of how the data loss occurred
      • Volume of employees impacted

Employers can learn more at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.