Search
News You Can Use

Alert: W-2 scams are back for 2018 — here’s what you need to know

SHARE THIS STORY

Theo Thimou, Clark.com

If you work in payroll or human resources and you get an email from your boss with a friendly “Hi, are you working today?” the IRS says the identities of your company’s entire workforce could be in the cross-hairs of a criminal.

RELATED: Key 2018 tax dates to know

A look at the popular W-2 scam

For the past two tax seasons, scamsters have been running a successful W-2 email phishing scam operation that has tricked major companies like messaging service Snapchat and disk-drive maker Seagate Technology.

Only, it’s not the companies that suffer the greatest harm from this scam — it’s their rank-and-file employees.

Here’s how this scam works: Through business email compromise (BEC) or business email spoofing (BES), criminals pose as top company brass and send emails to payroll professionals asking for copies of W-2 forms for all employees.

Unfortunately, those earnings summaries have more than just salaries and wages on them. They also contain employees’ names, addresses, Social Security numbers and withholding info.

The crooks can then use that pilfered info to file bogus tax returns or sell it online to other criminals, according to the latest IRS warning.

Once an email chain is established between a payroll professional and a crook masquerading as a CEO, the criminal can even follow up with a request for a wire transfer.

Businesses fight back

So what’s a business to do in light of a crime that’s grown exponentially from just 100+ reported cases in 2016 to some 900 in 2017 — and is only likely to grow from here?

The IRS has a few recommendations:

  1. Companies should limit the number of employees who have authority to handle W-2 requests.
  2. Anyone authorized to handle W-2 requests should be trained in how to validate the query before turning over the requested info.

Meanwhile, do you believe your organization has already fallen victim to a W-2 scam this year? If so, the IRS has a new protocol in place for you in 2018:

  • Email dataloss@irs.gov to notify the IRS of a Form W-2 data loss
  • Use “W2 Data Loss” as the subject line
  • Don’t attach personally identifiable information data for any employee
  • Be sure to include the following in your email:
    • Business name
    • Business employer identification number (EIN) associated with the data loss
    • Contact name
    • Contact phone number
    • Summary of how the data loss occurred
    • Volume of employees impacted

Finally, vigilance on the part of business owners is the best way to combat this scam. If your business or organization receives a scam request but does not fall victim to it, you can send the full email headers to phishing@irs.gov. Be sure to use “W2 Scam” as the subject line so it can be routed properly.

RELATED: New IRS tax withholding tables mean your paycheck might be getting a little bigger soon

Share on Facebook
Share on Twitter
Share
Share