W-2 Phishing Scam Targeting More Employers, Including Chain Restaurants and Staffing Companies

Yesterday, the IRS and state tax agencies issued a joint warning to employers that the Form W-2 phishing scam that first affected large businesses last year has now expanded to other organizations, including chain restaurants, staffing companies, schools, tribal organizations, and nonprofits.  The scam involves emails sent to payroll or human resources employees that appear to be from organization executives and request a list of all employees and their Forms W-2.  Once the scammer receives the information, it can be used to file false tax returns and claim employee refunds.

According to IRS Commissioner John Koskinen, this is one of the most dangerous phishing scams the tax world has faced in a long time.  The IRS and its state and industry partners, known as the “Security Summit,” have enacted safeguards in 2016 and 2017 to identify and halt scams such as this, but cybercriminals simply evolve their methods to avoid those safeguards.  A 2016 Government Accountability Office report found that in 2014, the IRS paid an estimated $3.1 billion in fraudulent identify theft refunds.  The report also found that the IRS prevented the payment of or recovered another $22.5 billion in identify theft refunds in the same year.  Both numbers were down from the prior year, but it is somewhat unclear whether that is a result of a change in the methodology used to calculate the estimates.

To add insult to injury, some scammers are going back to the well, by following-up on the Form W-2 request with an email requesting a wire transfer.  As a result, some entities have not only exposed their employees’ personal information and made them vulnerable to potential identify theft but also lost thousands of dollars.  Employers should ensure that payroll, treasury, and accounts payable processes and procedures are in place to prevent the unauthorized sharing of Form W-2 information and unauthorized wire transfers.

Organizations that receive a scam email should forward the email to phishing@irs.gov, placing “W2 Scam” in the subject line.  In addition, organizations should file a complaint with the Internet Crime Complaint Center (IC3), which is operated by the FBI.  If an organization has already had Forms W-2 stolen, it should review the Federal Trade Commission and IRS’s recommended actions, available at www.identitytheft.gov and www.irs.gov/identitytheft, respectively.  Employees concerned about identity theft can consult Publication 4524 and Publication 5027 for information.  If an employee’s tax return gets rejected because of a duplicate social security number, he or she should file Form 14039, “Identity Theft Affidavit.”