The Internal Revenue Service (IRS) has had its hands full so far this year dealing with fraud.
In late February the tax agency announced that last year's breach of its “Get Transcript” app was worse than originally reported. A further review found potential access of approximately 390,000 additional taxpayer accounts during the period from January 2014 through May 2015. The “Get Transcript” web application has been offline since this incident was discovered in May.
If that weren't bad enough, the IRS is dealing with an explosion in new attempts to steal money by filing fake tax returns. Fraudsters who obtain a taxpayer's name and Social Security number can make up a return claiming a large refund, which often gets paid before the real taxpayer gets around to filing a return.
Now, the IRS is worried about a new wrinkle on an old scam that has the potential to make the bogus tax return scam even more profitable – and dangerous.
People are receiving a phishing email that is made to look like it is coming from a top executive at the victim's place of employment. It asks that payroll data on all employees be sent via email for a review. That data contains all the information a scammer needs to file hundreds, maybe thousands of fake tax return.
New twist on old scheme
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,” IRS Commissioner John Koskinen said in a statement. “Now the criminals are focusing their schemes on company payroll departments.”
This scam marks a departure from previous versions, when a fraudster sends out millions of phishing emails, hoping to get lucky with just a few. Instead of picking victims at random, it appears scammers are scanning social media sites, looking for people who work in payroll or human resources at their places of employment.
The scammer then spoofs the email address of an actual CEO or department head. It's a lot of work, but if the scammer can trick just one HR person at a large company, the payoff could be thousands of personnel files, containing the most sensitive information.
The IRS is issuing a special warning to people who work in payroll or HR positions to be extra vigilant.
“If your CEO appears to be emailing you for a list of company employees, check it out before you respond,” Koskinen said. “Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
The scammers have used common wording in making their requests. They have included the following:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
Koskinen says IRS criminal investigators are reviewing several cases in which people have been tricked into sharing Social Security numbers with cybercriminals.
After years of increasing refund fraud, the IRS said it is working with state tax officials to identify fraudulent returns faster. It also instituted new security requirements this year for filing of online returns. Even so, the IRS is expected to send out $21 billion in fraudulent refunds this year.