phish

By Jessica C. Engler

The IRS has sent an urgent alert to employers this month that a W-2 phishing scam that many companies fell victim to in 2016 is back in full force for 2017. The IRS warns that this scam is emerging earlier this year and is targeting school districts, tribal organizations, and nonprofits in addition to businesses.

The “W-2 Scam” is carried out by persons who disguise (“spoof”) an email to make it look like it came from a top executive or the receiver’s business colleague. The dummy email is sent to (typically) the organization’s accounting and human resources department, and will ask for a list—or the copies themselves—of the company’s W-2 tax forms, employee’s dates of birth, and Social Security Numbers. If the unsuspecting victim responds with this information, the sender can use this data to file false tax returns, generate revenue on the black market, and perpetuate identity theft.

While this email can take many forms, some example phrasing for the email includes:

  • “Please send me the individual 2016 W-2 (PDF) and earnings summary of all W-2s of our company staff for a quick review”
  • “Hope you had a nice weekend. Do you have PDF copies of the employee’s W-2s? Could you please send to me for a quick review?”
  • “I need you to email me the list of individual W-2 copies of all employees’ wages and income tax statements for 2016 tax year in PDF file format for quick review. Prepare the list and send to me ASAP. I will brief you more about this later.”

The IRS warning indicates that these phishing emails are also including requests for wire transfers this year.

The Security Summit (which comprises the IRS, state tax agencies, and members of the tax industry) recommend that employers and employees stay vigilant of this threat. Employers may consider doing additional training with employees on recognizing these phishing emails.

The IRS instructs any organization that receives a W-2 scam to forward that email to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to the scam can file a complaint with the Internet Crime Compliance Center (IC3), which is operated by the Federal Bureau of Investigation. Organizations should also consider contacting an attorney with experience in data management to assist in the response to affected persons.