The IRS recently issued an alert to employers to be aware of a successful fraud scheme called “Form W-2 Scam.” In this 2017 “phishing” scam, cyber criminals tricked payroll and HR personnel into disclosing their companies’ sensitive payroll information, victimizing hundreds of employers and thousands of employees. This scam affected all types of employers, from small to large businesses, including nonprofits, schools, universities, and hospitals. “Phishing” is the attempt to acquire confidential information, often for malicious reasons, by masquerading as a trustworthy entity in an email message.
In these extremely sophisticated email scams, cyber criminals pose as company executives or other legitimate members of the leadership team and then request W-2 employee information. The emails often appear harmless since they look like they are being sent from the company’s email domain, and often the correspondence starts with friendly exchanges before any information gets requested.
How can you protect your business and your employees?
- Most importantly, take the time to educate your staff — especially your payroll and HR employees privy to sensitive and confidential information — of these fraud schemes, particularly this W-2 scam since it is tax season. This is also a reminder to limit the number of employees with access to sensitive employee information and to train them to be vigilant when responding to any requests for information.
- Remind your employees to never respond to any request that seems out of the ordinary before calling the person to confirm that they actually made the request. For example, many scams will provide an email address that looks very similar to the address of your organization’s CEO or other executive, but will be one letter off.
- The IRS has set up an email address where you can send any suspected phishing emails; forward these directly email@example.com.
- You can also report data thefts to firstname.lastname@example.org, with the type of data lost as the subject line.
The W-2 scam is just one of several new variations that have appeared in the past year that focus on the large-scale thefts of sensitive tax information from tax preparers, businesses, and payroll companies. Individual taxpayers also can be targets of phishing scams, but cyber criminals seem to have evolved their tactics to focus on mass data thefts.
This content is provided with the understanding that HR Knowledge is not rendering legal advice. While every effort is made to provide current information, the law changes regularly and laws may vary depending on the state or municipality. The material is made available for informational purposes only and is not a substitute for legal advice or your professional judgment. You should review applicable laws in your jurisdiction and consult experienced counsel for legal advice. If you have any questions regarding this content, please contact HR Knowledge at 508.339.1300 or email us.