As the Internal Revenue Service, the state tax agencies and the tax industry make progress combatting identity theft, cybercriminals need more data to impersonate real taxpayers and file fraudulent returns for refunds.
Currently, a particularly dangerous email scam is circulating. Here’s how it works: Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).
Because time is critical, the IRS has created avenues for businesses and payroll service professionals to report if they lost data to this scam or if they only received the email without falling victim. If your company did not fall victim, see how to report the scam email to the IRS.
How to report a data loss related to the W-2 scam
If notified quickly after the loss, the IRS may be able to take steps that help protect your employees from tax-related identity theft. Ways to contact the IRS* about a W-2 loss include
*The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. Any contact from the IRS will be in response to a contact initiated by you. Cybercriminals, when they learn of a new IRS process, often create false IRS web sites and IRS impersonation emails.
How to report data loss to state tax agencies
How to report data loss to other law enforcement officials
What to tell your employees about a Form W-2 data loss
Cybercriminals who successfully steal Forms W-2 immediately attempt to monetize their thefts. Criminals may immediately attempt to file fraudulent tax returns claiming a refund. Or, they may sell the data on the Internet’s black market sites to others who file fraudulent tax returns or use the names and SSNs to create other crimes. Here is some guidance to share with your employees:
If your business received the email but did NOT fall victim to the scam, forward the email to the IRS. The IRS needs the email header from the phishing email for its investigation, which means you must do more than just forward the email to firstname.lastname@example.org. Here’s what to do with the W-2 email scam: