Tax season is here, and with it comes phishing season. The IRS is expecting last year’s Form W-2 phishing scheme to make the rounds again this year, so here’s what you need to know to prepare yourself and your business to fend off this dangerous scam.

What to watch for

• Using a technique known as business email compromise (BEC) or business email spoofing (BES), criminals pose as company executives and email payroll employees with a request for the W-2 forms for all employees.
• The criminal uses the information contained in the W-2 (such as the employee’s name, address, Social Security number, income and withholdings) to file fraudulent tax returns and/or steal the employee’s identity, or sells the information for profit.

If you or your company has already been victimized by this or similar scams, the IRS can take steps to help prevent employees from being victims of tax-related identity theft if they are notified of the attack. Because of the nature of this scam, often businesses do not discover the theft immediately, so it is important to educate your payroll or finance personnel and be proactive about preventing security breaches of this nature.

What to do if you’ve been targeted

The IRS established a special email notification address specifically for employers to report Form W-2 data thefts. Here’s how Form W-2 scam victims can notify the IRS:

• Email dataloss@irs.gov to notify the IRS of a Form W-2 data loss and provide contact information, as listed below.
• In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.
• Include the following:
  • Business name
  • Business employer identification number (EIN) associated with the data loss
  • Contact name
  • Contact phone number
  • Summary of how the data loss occurred
  • Volume of employees impacted

Businesses and organizations that fall victim to the scam and/or organizations that only receive a suspect email but do not fall victim to the scam should send the full email headers to phishing@irs.gov and use “W2 Scam” in the subject line.

Employers can learn more at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.

Read more information from irs.gov about this scam at IRS, States and Tax Industry Warn Employers to Beware of Form W-2 Scam; Tax Season Could Bring New Surge in Phishing Scheme.