In recent years there has been a growing trend of W-2 “phishing scams” in February and March, during the lead up to income tax filing deadline.
This phishing scam is combined with “spoof emails” where the scammer sends an email to a company employee (often in Human Resources) which spoofs the email address of a high-level manager or CEO.
The targeted employee thinks they are receiving an email from their boss saying that they urgently require W-2 forms of all employees in advance of an important meeting.
The unsuspecting HR employee or accountant will send the scammer the W-2s, and inadvertently cause a data security breach.
Once they have received the W-2 information, the phishers will often follow up with a second “executive” email to payroll requesting that a wire transfer is made in a certain account. This allows them not only to steal identities of employees but also money from the organization.
IRS Issues Alert
In 2017 the problem has become so bad that the IRS has issued an “urgent alert” that scammers are targeting chain restaurants, temporary staffing agencies, school districts, tribal organizations, nonprofits and varied organizations.
“This is one of the most dangerous email phishing scams we’ve seen in a long time,” said IRS Commissioner John Koskinen. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.’’
What to do
The FBI urges businesses to adopt an authentication system for email, and to establish other confirmation methods, such as telephone calls, to verify significant banking transactions and employee data information.
The IRS is telling businesses and organizations that receive a W-2 scam email to forward it to firstname.lastname@example.org with “W-2 Scam” in the subject line.
Organizations that fall victim to the scam should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.
* Advertising Material: To the extent that the information in this post is interpreted as attorney advertising in accordance with the Illinois Rules of Professional Conduct or within the meaning of state bar rules from all other localities, this statement is made pursuant to those rules.
Specialties: Specialization claims are prohibited by Illinois Supreme Court Rules and we do not claim to be specialists. The content of this e-mail is organized and presented for the sole purpose of general information. None of the included content should be construed as legal advice. Viewing this e-mail or e-mailing the account holder does not create an attorney-client relationship. NOTICE: This page may be considered advertising material.
IRS: Scam Blends CEO Fraud, W-2 Phishing – Krebson Security
‘Tis The Season…For Dangerous W-2 Phishing Scams – The National Law Review