IRS warns of potential surge in fake CEO phishing scam

Dont Take the Bait Graphic

* This article and image was written by Don’t Mess With Taxes and published online on January 19, 2018.

With the official start of the 2018 tax filing season just more than a week away, folks have been collecting important tax statements they’ll need to file their returns.

Identity thieves, unfortunately, are among those looking for those documents, particularly W-2 forms that most filers use to report their wage income.

That’s why the Internal Revenue Service is urging everyone to be on guard against the return of the Form W-2 phishing scam that last year made victims of hundreds of organizations and thousands of employees.

Costly employment-related tax scam: The W-2 scam has emerged as one of the most dangerous phishing emails in the tax community, says the IRS.

In 2017, reports from victims or those who were targets of the scam to [email protected] jumped to approximately 900, nine times the number of reports to the IRS about this tax statement scam in 2016.

On the company side, more than 200 employers were victimized. That translate into hundreds of thousands of employees who had their identities compromised, says the IRS.

During the last two tax seasons, payroll personnel or people with access to payroll information were primary targets. In these con cases, the W-2 data overseers were tricked into disclosing sensitive information for entire work forces.

And scammers were able to get this workplace data — which is everything need to commit tax identity theft and fraudulent return filing — from all types of employers, ranging from small and large businesses, public schools, universities, hospitals, tribal governments and charities.

Even a major league sports franchise fell victim. In 2016, the National Basketball Association’s Milwaukee Bucks had its tax data stolen in phishing scam. The data lost to the crooks included that of rank-and-file employees of the NBA team to that from the franchise’s multimillionaire players.

The scam reappeared with a vengeance in early 2017, with cybercriminals sending out fake emails that appeared to come from companies’ top executives.

Fake executive tax scam: The crooks pose as the boss ask payroll or personnel department employees to send him/her all the tax data on his/her workers.

In defense of those who fall/fell for the scam, there are few among us who would say no to the head of the company.

Here are the details, as gathered over the years by the IRS, as to how the scam works.

Cybercriminals do their homework, identifying chief operating officers, school executives or others in positions of authority.

Using a technique known as business email compromise (BEC) or business email spoofing (BES), fraudsters posing as executives send emails to payroll personnel requesting copies of Forms W-2 for all employees.

The Form W-2 contains the employee’s name, address, Social Security number, income and withholding amounts. Criminals use that information to file fraudulent tax returns, or they post it for sale on the Dark Net.

The initial email may be a friendly, “hi, are you working today” exchange before the fraudster asks for all Form W-2 information.

In several reported cases, after the fraudsters acquired the workforce information, they immediately followed that up with a request for a wire transfer.

Avoiding the scam: To stop or at least limit the amount of this fake W-2 phishing this year, the IRS is alerting taxpayers and working to educate company payroll or finance personnel.

The IRS and its Security Summit partners urge employers to consider creating a policy to limit the number of employees who have authority to handle Form W-2 requests.

Companies also should require additional verification procedures to validate the actual request before emailing sensitive data such as employee Form W-2s.

Cleaning up afterwards: If the business or organization victimized by these attacks notifies the IRS, the agency says it can take steps to help prevent employees from being victims of tax-related identity theft.

However, because of the nature of these scams, some businesses and organizations did not realize for days, weeks or months that they had been scammed.

Still, as soon as you realize your company has been compromised, use the IRS’ special email notification address [email protected] to notify the agency of Form W-2 data thefts. Be prepared to provide the IRS:

  • Contact information, including
    • Business name
    • Business employer identification number (EIN) associated with the data loss
    • Contact name
    • Contact phone number
    • Summary of how the data loss occurred
    • Volume of employees impacted
  • Type “W2 Data Loss” in your reporting email subject line so that the email can be routed properly.
  • Do not attach any employee personally identifiable information data.

If your business gets the W-2 phishing email, but your payroll staff doesn’t fall for it, send the full email headers to [email protected] and use “W2 Scam” in the subject line.

What victimized workers can do: If a worker’s data is compromised via the W-2 con or any other type of tax ID scam, there are steps you can take.

Place a free 90-day fraud alert on your credit reports by contacting any one of the three nationwide credit reporting companies online or through their toll-free numbers. The bureau you contact must tell the other two.

File a complaint with the Federal Trade Commission. The FTC has more guidance at its What To Do Right Away web page.

If you discover a crook using your tax info beat you to filing your return, the IRS’ special identity theft victims’ assistance web page details the steps you should take.

And all of us, employers and employees alike, need to stay alert. Cybercriminal scams constantly evolve.

You also might find these items of interest: