Most businesses do their due diligence in warning employees about sharing confidential information, such as W-2s, with outside sources you don’t recognize. But what if an email appears to have come from inside your organization?
Cybercriminals are getting more sophisticated with their techniques. As a result, fake websites appear legitimate, and emails can appear to come from a company executive when they do not. The latter is currently in widespread use through a dangerous W-2 scam.
Earlier this month, the IRS issued an urgent alert to employers regarding these W-2 email phishing scams. This scam first appeared last year, targeting mostly corporations. It is back even earlier in this tax season and extends beyond corporations to nonprofits, school districts, hospitals and other organizations.
“This is one of the most dangerous email phishing scams we’ve seen in a long time,” said IRS Commissioner John Koskinen.
The scammers are using various spoofing techniques to disguise emails, making them appear to be from executives at the targeted organizations. They send the email to employees in the payroll or human resources departments, requesting a list of all employees and their W-2 forms. Unsuspecting employees comply with this request, allowing for a large-scale theft of sensitive employee tax data.
This type of scam is referred to as business email compromise (BEC) or business email spoofing (BES). The IRS encourages businesses to share information about this scam with their employees. They also suggest implementing a secure method for transfer of W-2 information, if one doesn’t exist in your organization already.
Businesses that fall victim to the W-2 scam should report it to the IRS’s Internet Crime Complaint Center. Their secure website is https://www.ic3.gov.