It’s all hands on deck again this year to get the word out about a W-2 phishing scam that victimized more than 200 employers and thousands of employees last year. This scam has affected all types of businesses, no matter the industry, size or type, and many times the business didn’t realize it was a victim for days, weeks or months. In these cases, cybercriminals trick payroll personnel or individuals with access to payroll information into disclosing sensitive information by using techniques known as business email compromise (BEC) or business email spoofing (BES). The cybercriminals pose as authority figures, e.g., CEOs or CFOs, and send emails to payroll personnel requesting sensitive data such as copies of W-2s for all employees. In some cases, the cybercriminals follow up with a wire transfer request once they receive the sensitive data.
This is one of the most dangerous identity theft schemes in the tax community; the IRS, state agencies and tax industry urge employers to educate their payroll personnel now. In addition, the IRS and Security Summit partners urge employers to create or modify policies to limit the number of employees who have authority to handle Form W-2 requests and require additional verification procedures to validate requests before sending sensitive data.
If your business or organization receives a suspicious email but doesn’t fall victim to the scam, send the full email headers to firstname.lastname@example.org with “W2 Scam” as the subject line.
If your business or organization needs to report a theft of Form W-2 data, email email@example.com with “W2 Data Loss” as the subject line. Include the business name, employee identification number (associated with the data loss), contact name and phone number, summary of how the data loss occurred and volume of employees affected. Employers also should visit the IRS data theft page for information on contacting state agencies and law enforcement officials as well as guidance on what to tell your employees about a W-2 data loss.
Cybercriminals are constantly changing their tactics to steal information, so it’s important employees remain vigilant when receiving requests for sensitive information. For additional guidance, a recent BKD Thoughtware® article provides great information to help prevent and mitigate identity theft. Contact your trusted BKD advisor for more information or to find out what our cybersecurity team can do for you.