IRS Guidance on Reporting W-2/SSN Data Breaches

The IRS recently laid out reporting procedures for employers and payroll service providers that have fallen victim to various Form W-2 phishing scams.  In many of these scams, the perpetrator poses as an executive in the company and requests Form W-2 and Social Security Number (SSN) information from an employee in the company’s payroll or human resources departments (see prior coverage).  If successful, the perpetrator will immediately try to monetize the stolen information by filing fraudulent tax returns claiming a refund, selling the information on the black market, or using the names and SSNs to commit other crimes.  Thus, time is of the essence when responding to these data breaches.

According to the IRS’s instructions, an employer or payroll service provider that suffers a Form W-2 data loss should immediately notify the following parties:

  1. IRS. The entity should email dataloss@irs.gov, with “W2 Data Loss” in the subject line, and provide the following information: (a) business name; (b) business employer identification number (EIN) associated with the data loss; (c) contact name; (d) contact phone number; (e) summary of how the data loss occurred; and (f) volume of employees impacted.  This notification should not include any employee personally identifiable information data.  Moreover, the IRS does not initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial information.  Thus, these types of requests should not be taken as IRS requests.
  2. State tax agencies. Since any data loss could affect the victim’s tax accounts with the states, the affected entity should email the Federal Tax Administrators at StateAlert@taxadmin.org for information on how to report the victim’s information to the applicable states.
  3. Other law enforcement officials. The entity should file a complaint with the FBI’s Internet Crime Complaint Center (IC3), and may be asked to file a report with their local law enforcement agency.
  4. Employees. The entity should ask its employees to review the IRS’s Taxpayer Guide to Identity Theft and IRS Publication 5027 (Identity Theft Information for Taxpayers).  The Federal Trade Commission (FTC) suggests that victims of identity theft take various immediately actions, including: (a) filing a complaint with the FTC at identitytheft.gov; (b) contacting one of the three major credit bureaus to place a “fraud alert” on the victim’s credit card records; and (c) closing any financial or credit accounts opened by identity thieves.

The IRS has also established technical reporting requirements for employers and payroll service providers that only received the phishing email without falling victim.  Tax professionals who experience a data loss also should promptly report the loss pursuant to the IRS’s procedures.

W-2 Phishing Scam Targeting More Employers, Including Chain Restaurants and Staffing Companies

Yesterday, the IRS and state tax agencies issued a joint warning to employers that the Form W-2 phishing scam that first affected large businesses last year has now expanded to other organizations, including chain restaurants, staffing companies, schools, tribal organizations, and nonprofits.  The scam involves emails sent to payroll or human resources employees that appear to be from organization executives and request a list of all employees and their Forms W-2.  Once the scammer receives the information, it can be used to file false tax returns and claim employee refunds.

According to IRS Commissioner John Koskinen, this is one of the most dangerous phishing scams the tax world has faced in a long time.  The IRS and its state and industry partners, known as the “Security Summit,” have enacted safeguards in 2016 and 2017 to identify and halt scams such as this, but cybercriminals simply evolve their methods to avoid those safeguards.  A 2016 Government Accountability Office report found that in 2014, the IRS paid an estimated $3.1 billion in fraudulent identify theft refunds.  The report also found that the IRS prevented the payment of or recovered another $22.5 billion in identify theft refunds in the same year.  Both numbers were down from the prior year, but it is somewhat unclear whether that is a result of a change in the methodology used to calculate the estimates.

To add insult to injury, some scammers are going back to the well, by following-up on the Form W-2 request with an email requesting a wire transfer.  As a result, some entities have not only exposed their employees’ personal information and made them vulnerable to potential identify theft but also lost thousands of dollars.  Employers should ensure that payroll, treasury, and accounts payable processes and procedures are in place to prevent the unauthorized sharing of Form W-2 information and unauthorized wire transfers.

Organizations that receive a scam email should forward the email to phishing@irs.gov, placing “W2 Scam” in the subject line.  In addition, organizations should file a complaint with the Internet Crime Complaint Center (IC3), which is operated by the FBI.  If an organization has already had Forms W-2 stolen, it should review the Federal Trade Commission and IRS’s recommended actions, available at www.identitytheft.gov and www.irs.gov/identitytheft, respectively.  Employees concerned about identity theft can consult Publication 4524 and Publication 5027 for information.  If an employee’s tax return gets rejected because of a duplicate social security number, he or she should file Form 14039, “Identity Theft Affidavit.”