A New WARNING for Payroll: Form W-2 Scam
The IRS and state tax agencies are urging employers to be aware of a new scam that has come to light particularly with a jump in impacted people/businesses in 2017. This scam impacted hundreds of businesses and thousands of employees in 2017 and there is concern that this may continue to rise if appropriate measures aren’t taken to prevent it. The scam is in relation to Form W-2 phishing.
How Does Sensitive Information Get Stolen?
According to the IRS website, Cybercriminals identify chief operating officers or others who may be in positions of authority. Then, using a technique known as business email compromise (BEC) or business email spoofing (BES), these criminals pose as executives send emails to payroll personnel requesting copies of Forms W-2 for all employees.
What Can Happen When That Information Gets Out?
Because of the sensitive information the From W-2 contains, this information, if sent, can allow these cybercriminals to file a fraudulent tax return, steal an identity, or sell the information to other scammers who may do the same.
How Can I Prevent This From Happening to My Business?
Employers are encouraged to work with their Payroll department to learn the indicators of a fraudulent request and to take preventative measures to ensure information doesn’t get compromised.
By bringing this to your attention now, the IRS and its partners hope to limit the success of this scam (which jumped from 100 victims in 2016 to 900 victims in 2017) in 2018. The IRS last year also created a new process by which employers should report these scams. There are steps the IRS can take to protect employees, but only if the agency is notified immediately by employers about the theft.
As an employer, you are urged to consider creating a policy to limit the number of employees who have authority to handle Form W-2 requests and that they require additional verification procedures to validate the actual request before emailing sensitive data such as employee Form W-2s.