The IRS is warning businesses and tax professionals to beware of a recent increase in an email scam targeting employee W-2 forms.

The W-2 scam—called a business email compromise or BEC—occurs when a cybercriminal is able to spoof or impersonate a company or organization executive's email address and target a payroll, financial, or human resources employee with a request.

For example, fraudsters will try to trick an employee to transfer funds into a specified account or request a list of all employees and their W-2 forms.

Email Scam Sees Sharp Increase

In 2017, the IRS saw the number of businesses, public schools, universities, tribal governments, and nonprofits victimized by the W-2 scam increase to 200 from 50 in 2016.

Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen.

The FBI reported earlier this year that there has been a 1,300% increase in identified losses—with more than $3 billion in wire transfers—since January 2015.

The FBI found that the culprits behind these scams are national and international organized crime groups who have targeted businesses and organizations in all 50 states and 100 countries worldwide.

During the 2016 filing season, the IRS first warned businesses that the scam had migrated to tax administration and scammers were using business email compromise tactics to obtain employees’ W-2 forms.

The FBI reported a 1,300% increase in identified losses—with more than $3 billion in wire transfers.
The criminals were immediately filing fraudulent tax returns that could mirror the actual income received by employees—making the fraud more difficult to detect.

Protect Your Company

The IRS established a special email notification address specifically for businesses and organizations to report W-2 thefts. Be sure to include "W-2 scam" in the subject line and information about a point of contact in the body of the email.

Businesses and organizations that receive a suspect email but do not fall victim to the scam can forward it to the IRS, again with "W-2 scam" in the subject line.

Employers, including tax practitioners, should review their policies for sending sensitive data such as W-2s or making wire transfers based solely on an email request.

Businesses and tax professionals should consider taking these steps:

  • Confirm requests for W-2 forms, wire transfers, or any sensitive data exchanges verbally by calling the person who purportedly sent it, using a phone number you know is his or hers—not the number provided in the email.
  • Verify requests for location changes in vendor payments and require a secondary sign-off by company personnel.
  • Educate employees about this email scam, particularly those with access to sensitive data such as W-2s or authorization to make wire transfers.
  • Consult with an IT professional to: (a) create intrusion detection system rules that flag emails with extensions that are similar to company email, (b) create an email rule to flag email communications where the reply email address is different from the from email address shown, and (c) color- code virtual correspondence so emails from employee/internal accounts are one color and emails from non-employee/external accounts are another.
  • If a BEC incident occurs, notify the IRS and file a complaint with the FBI at the Internet Crime Complaint Center.

    Don't miss CBIA's five-part webinar series on cybersecurity for small to midsize businesses, beginning Sept. 20.