As if you need one more thing to worry about this time of year, the IRS has issued an urgent alert regarding phishing scams. These scams target sensitive employee information which crooks can then use to commit various identity crimes, including filing fraudulent tax returns. These types of scams have previously targeted larger corporations but are now going for other sectors including school districts, tribal organizations, nonprofits and small to medium-sized businesses. What can you do to stay one step ahead?
Understand How W-2 Phishing Scams Targets Data & Funds
One scheme, which the IRS refers to as "one of the most dangerous email phishing scams we've seen in a long time," targets HR and payroll departments with the intent of stealing employee data. The scam is referred to as business email compromise (BEC) or business email spoofing (BES). Cybercriminals pull off BEC or BES by posing as company executives, requesting W-2s or other personal employee information from HR or payroll departments.
This BEC scam first appeared last year and, based on reports, has gained momentum in recent weeks. Additionally, as these criminals become emboldened, they pursue access to funds as well as data. This year, cybercriminals have begun to follow up on fraudulent requests for employee data with a second spoofed executive email requesting funds be wired to a specified account. Companies have lost employee W-2s and thousands of dollars to these scams.
There are several other spoofing scams that have materialized over the past few years focused on theft of sensitive tax information. Individual taxpayers have been hit, as well as tax professionals themselves. However, cybercriminals appear to be shifting tactics - they're targeting more businesses in order to acquire larger stores of data.
What Can Employers Do
Employers are urged to share information about these scams with their payroll, finance and human resources employees. Employers are also advised to strictly enforce internal policies around the transferring of funds and distribution of W-2s or other sensitive information. Additional actions you can take include:
- Educate your staff about various online and phishing scams. The IRS's Identity Protection: Prevention, Detection and Victim Assistance website includes guidance on how to report a scam.
- If you or one of your employees receive a suspicious email, DO NOT REPLY, OPEN ANY ATTACHMENTS or CLICK ANY LINKS. Forward the email as is to firstname.lastname@example.org with the subject 'W2 Scam." Then, delete the original email.
- If you or one of your employees receive an unexpected phone call from someone claiming to be from the IRS, write down their name and badge number. Call 1-800-366-4484 to determine if the caller is an lRS employee with a reason to call you.
- If you receive an unexpected letter, written notice or fax from the IRS, determine whether or not it's legitimate. You can do this on the IRS home page or the Understanding Your Notice or Letter page. Keep in mind that fraudulent letters, notices and forms often look like the real thing. If you suspect that you really do owe taxes or need to verify that the IRS is trying to reach you, call them at 1-800-829-1040.
- Be cautious when searching for tax professionals or technical assistance online. The IRS offers resources to help find reliable assistance.
- Use Federal Trade Commission free resources that help businesses manage data security and safeguard employee's personal information.
If Your Data Has Been Breached
The Federal Trade Commission has a free guide that advises businesses on responding to a data breach. The guide provides suggestions on how to:
- Move quickly to secure your system
- Where to start fixing vulnerabilities
- Determine who needs to be notified and how to do it
Employees whose W-2s have been stolen can find help on the Federal Trade Commission website. If an employee's tax return is rejected due to a duplicate Social Security number, he/she should file an Identity Theft Affidavit (IRS Form 14039).
We're here to help
Although we can't prevent scam artists and cybercriminals from targeting your company or organization, we are here to help in any way we can. For example, our payroll solutions offer integration with TurboTax. This feature allows W-2 data to be transmitted via an encrypted, secure connection to the TurboTax servers for automatic download if your employees elect to use the tax filing software and choose to import their W-2 data automatically.
Our 24 hour HR On Demand service is there to answer questions about your business 24 hours a day. As you develop policies, respond to requests, or develop your action/reaction plan, our seasoned HR professionals offer guidance based on Human Resources laws and best practices.
And our LifeLock protection solution offers proactive identity theft protection. Although this service will not in and of itself prevent identity theft if personal employee data is breached by a scam described in this blog post, LifeLock offers comprehensive and innovative monitoring service that will alert an employee as soon as a problem is detected based on a myriad of other ways all of our identities are at risk today. The more quickly your staff are made aware their identity has been compromised, the more quickly they can shut down the fraud. Also, once alerted, if additional action is required, Certified Resolution Specialists are available to handle each case every step of the way. In fact, LifeLock will spend up to $1 million to hire the experts necessary.