The Internal Revenue Service (“IRS”), state agencies and the tax industry have issued severe warnings to employers relative to W-2 email phishing scams (“scams”).
These phishing scam occurrences initially targeted corporate employers, but have now spread to other sectors such as healthcare organizations, nonprofit organizations, schools, chain restaurants, temporary staffing agencies, shipping and freight companies and tribal casinos. These scam emails that appear to be from company executives requesting personal employee information may subject employers to serious data loss, and also put one’s employees at personal risk of identity theft.
Cybercriminals disguise emails to make them look like they are being sent by an executive of the organization by using various spoofing techniques. These disguised emails are usually sent to an individual in either the human resources or payroll departments. The email typically requests a list of all employees and a copy of their Form W-2 or a PDF file of all the Forms W-2 from a given year or years.
Examples of the email scam, as provided by the IRS, are as follows:
In an updated version of the scam, cybercriminals are also adding to this a wire transfer scam. This is accomplished through a follow up disguised email that requests a wire transfer be directed to a cybercriminal’s account.
The IRS has issued guidance on its website dated March 28, 2017 “Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.” If the IRS is notified quickly, they may be able to help mitigate the loss and protect employees from any tax-related identity theft by taking the following steps:
1. Contacting tax and law enforcement agencies:
2. Inform Employees that their W-2 data was stolen:
Employers should let employees know that cybercriminals who have stolen employee information may file fraudulent tax returns to claim refunds or may sell the data to others who may perpetrate crimes. The IRS suggests to provide employees with formal IRS information as follows: (1) the Taxpayer Guide to Identity Theft, (2) IRS Publication 5027 (Identity Theft Information for Taxpayers), and (3) IRS Publication 4524 (Security Awareness for Taxpayers). In addition, the Federal Trade Commission also offers additional guidance. Employees can file a Form 14039, Identity Theft Affidavit if their tax information has been compromised.
3. Report the Phishing Email:
Whether or not an employer fell victim to the scam, they should forward the phishing scam email to the IRS at phishing@IRS.gov. The IRS will need the email header provided in plain ASCII text format. The phishing email should be saved as an email file and attached to the email, with the subject “W-2 Scam”. They urge employers not to send any sensitive employee data such as Form W-2 or Social Security number. They also recommend filing a complaint with the IC3.
In an attempt to fight identity theft, the IRS and payroll service providers have partnered in an initiative to place a 16-digit verification code on a sample of Forms W-2. In 2016 there were approximately 47 million Forms W-2 filed using these codes, which is a significant increase form the 2 million filed in 2015. The verification code appears on Form W-2, Copy B, To be filed with employee’s federal tax return, and copy C, For employee’s records.
The verification code is recommended (but not required) by the IRS to be entered into tax software when a return is electronically filed. The code enables the IRS to validate the authenticity of the W-2 filed with a personal income tax return. According to the IRS, an increasing amount of taxpayers are entering these codes. The IRS has also reported that the verification code has been successful 97% of the time in W-2 authentication. As this program expands, this can be an effective tool used to prevent a fraudulent tax return from being filed.
Employers and employees should be educated so as not to fall victim to this scam or any other cyber-crime. Awareness and preventative measures should be taken to avoid evolving scams. Employers should take precautions, routinely educate employees, and preform cyber security reviews to protect all company data.
To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.