The agency says that one particular BEC called the W-2 scam has become much more prevalent over the past year, and that it has compromised the personal information of many consumers.
“In 2017, the IRS saw the number of businesses, public schools, universities, tribal governments and nonprofits victimized by the W-2 scam increase to 200 from 50 in 2016,” the agency said. “Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen.”
Targeting sensitive information
BECs occur when a scammer or cybercriminal sends an official-looking spoof email to a victim while pretending to be another company, organization, or high-ranking executive. IRS Commissioner John Koskinen says that scammers often target tax professionals or employees with access to sensitive information in order to get the most information possible.
In the W-2 scam iteration, the scammer will generally ask an employee or professional to send a list of all company employees with their W-2 forms. Unfortunate victims who comply with the request sometimes have no idea that they’ve handed over extremely sensitive information to an outside party, including employee names, addresses, Social Security numbers, and income and withholding data. With the information, scammers can then file false tax returns to the federal government and cause major problems for victims.
The IRS says that it first warned businesses of the scam during the 2016 filing season and provided information on how to avoid it. Nevertheless, the number of victims quadrupled by 2017. Officials say that those who fall victim to the scam need to act right away to prevent the most damage.
“If the business or organization victimized by these attacks notifies the IRS, the IRS can take steps to help prevent employees from being victims of tax-related identity theft. However, because of the nature of these scams, many businesses and organizations did not realize for days, weeks or months that they had been scammed,” the agency said.
What to do
In its release, the IRS urges tax professionals and businesses to stay vigilant against BECs and recommends taking the following steps:
- Confirm requests for Forms W-2, wire transfers, or any sensitive data exchanges verbally, using previously-known telephone numbers, not telephone numbers listed in the email.
- Verify requests for location changes in vendor payments and require a secondary sign-off by company personnel.
- Educate employees about this scam, particularly those with access to sensitive data such as W-2s or with authorization to make wire transfers.
The agency says that businesses should also consult with an IT professional and follow these FBI recommended safeguards:
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company email. For example, legitimate e-mail of abc_company.com would flag fraudulent email of abc-company.com.
- Create an email rule to flag email communications where the “reply” email address is different from the “from” email address shown.
- Color code virtual correspondence so emails from employee/internal accounts are one color and emails from non-employee/external accounts are another.
- If a BEC incident occurs, notify the IRS and file a report with the FBI IC3.