The Internal Revenue Service (IRS) is warning employers to be on guard against the Form W-2 phishing scam as tax season gets underway.
The scheme defrauded thousands of taxpayers and hundreds of organizations last year, and the tax agency worries it will be worse this year. It calls the W-2 scam "one of the most dangerous phishing emails in the tax community."
Unlike most scams, which take a widespread approach and target as many potential victims as possible, the Form W-2 scam is much more narrowly focused.
Cybercriminals identify a target -- a large company or organization -- then conduct research to learn the names of those in charge of payroll or personnel files.
They then assume the identity of one of the organization's top executives, spoof their email account, and request copies of Form W-2 for all employees from an unsuspecting payroll officer. For an identity thief, this form is solid gold.
Everything an identity thief needs
A W-2 contains an employee’s name, address, Social Security number, income, and withholdings. It's all the information a criminal needs to file a fake tax return and have the refund transferred directly to themselves.
A criminal might file hundreds of fake returns to collect refunds or post the information for sale to other criminals on the Dark Web.
The IRS is doing more than trying to educate employers about the scam. It is urging all companies and organizations to limit the number of people who can gain access to this information.
Compounding matters is the fact that criminals filing bogus tax returns, using stolen Social Security numbers, has been a growing problem over the last few years. Now that the IRS has established ways to help identify made-up tax returns, thieves have jumped ahead and tried getting their hands on the actual tax documents.
Policy change may be needed
The IRS says employers need to exercise greater caution in handling employee tax records and thoroughly check out all requests for information before they provide it.
Taxpayers can reduce their chances of being victims by filing their federal tax return as soon as possible. If a scammer files a return in that taxpayer's name later using stolen data, the IRS can instantly recognize it as a fake.
If an employer recognizes that it has been victimized, it should notify the IRS immediately. The agency can then take steps to reduce the chances that employees will become victims.
Employers should notify the IRS using the email firstname.lastname@example.org. In the subject line, type "W2 Data Loss."