IRS Warns to Employees: Don’t Be a Victim of Major W-2 Scam
The IRS and the State of Alabama Department of Revenue are warning businesses and employers of what they say is a growing W-2 scam that is threatening sensitive tax information. They expect the scam will continue for the 2020 tax season and are reminding companies to be aware and vigilant.
According to the Alabama Department of Revenue, the scam has become one of the most dangerous and successful phishing attacks. In the past year, tens of thousands of employees had their W-2 forms stolen. Large and small business, tribal governments, charities, and hospitals were all targeted successfully.
November 27 to December 1 has been named “National Security Awareness Week” by the IRS and the Security Summit partners include state tax agencies and the tax community. Today the focus is on this particular scam in order to keep employers aware of the risk for tax-related identity theft”.
How It Occurs?The Alabama Department of Revenue details how these attacks often occur: the scam usually begins with an email to an employee with access to their payroll. The scammer requests a list of all employees in a company and their W-2 forms having subject line similar to "review" or "request."
The payroll official may have faith in that he is responding to an executive and it may take some weeks for someone to realize that a data breach has happened because criminals will oftentimes file the returns within a day or two of the theft.
Emails can start with a simple text: "Hey, are you in today?” according to the Alabama Department of Revenue. They are seemingly harmless but can end up giving cybercriminals access to all of an organization’s employee W-2 forms.
How and Where to Report About It?The IRS has established a protocol to quickly report these types of schemes. Below is the list of some key steps to report about these W-2 scams:
• Send an email to email@example.com to notify the IRS of a W-2 data loss and provide contact information. Make "W2 Data Loss" the subject line so that the email can be directed correctly and effectively. Do not attach any personal identification information of the employee.
• Send an email to the Federation of Tax Administrators for information on the most proficient method to report victim information to states at StateAlert@taxadmin.org.
• Companies or providers of payroll services must file a complaint with the FBI Internet Crimes Complaint Center (IC3.gov). Companies or payroll service providers might be required to submit a report to their Local Law Enforcement Agency.
• Notify the employees so they can make a move to secure themselves against identity theft. The Federal Trade commission provides guidance at http://www.identitytheft.gov on the general steps employees should take.
• Forward the scam email to firstname.lastname@example.org.
The IRS, tax industry and the state tax agencies are committed to cooperate and are focused on working together to fight against tax-related data frauds or identity theft and protect taxpayers. But in this case, the Security Summit needs help. People can figure out to find ways to protect themselves on the web.
The Security Summit Partners warn that cybercriminals need access to extra and more accurate information in order to file a fraudulent return since the partners have increasingly stopped stolen identity refund fraud. The departments that are most at risk are human resources and payroll.