Threats and Trends in W-2 Form Scams and Data Theft

The Internal Revenue Service (IRS) recently updated guidance on a current attempt by cybercriminals to gain access to employee W-2 forms via an email phishing campaign. Data from the W-2 forms is being utilized in identity theft as well as the filing of tax returns to receive a fraudulent refund.

The Scam

Historically United States Postal Service (USPS) mail theft at the individual mailbox has been one way of gaining access to W-2 forms but cybercriminals are now utilizing more sophisticated email scams to gain access to an entire company’s W-2 forms. In the business email compromise (BEC) scam, Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2.

The most common spoofing technique is for the cybercriminal to register an email domain but to slightly change the domain name such as @exanple.com versus the valid domain of @example.com. The cybercriminal then sends an email and the employee responds to the request as they are busy, recognize the sender’s name and title and the request seems reasonable such as a CFO requesting payroll related data.

Actions to Take

If a company has lost W-2 forms to this scam they should contact the IRS, State tax administrations and the FBI.

1. Report a data loss related to the W-2 data loss scam to the IRS

If notified quickly after the loss, the IRS may be able to take steps that help protect your employees from tax-related identity theft. Ways to contact the IRS* about a W-2 loss include.

• Email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide your contact information listed below so that we may call you. In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information (PII) data.
  1. Business name
  2. Business employer identification number (EIN) associated with the data loss
  3. Contact name
  4. Contact phone number
  5. Summary of how the data loss occurred
  6. Volume of employees impacted

2. Report data loss to state tax agencies

• Any breach of personal information could influence the victim’s tax accounts with the states as well as the IRS. You should email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.

3. Report data loss to other law enforcement officials

• Businesses/payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center (IC3)
• Businesses/payroll service providers may be asked to file a report with their local law enforcement agency

4. Tell your employees about a Form W-2 data loss

Criminals may immediately attempt to file fraudulent tax returns claiming a refund. Or they may sell the data on the Internet’s black market sites to others who file fraudulent tax returns or use the names and SSNs to create other crimes. Here is some guidance to share with your employees:

1. Review Taxpayer Guide to Identity Theft
2. Share IRS Publication 5027 PDF, Identity Theft Information for Taxpayers, with employees and direct them to the “Steps for Identity Theft Victims” which includes:
   • Contacting one of the three credit bureaus to place a “fraud alert” on their account; they may consider placing a “credit freeze” which offers more protection.
   • File a complaint with the Federal Trade Commission, the lead federal agency on identity theft issues.
   • Review FTC www.identitytheft.gov information for additional steps to recover from identity theft.
3. The FTC also offers guidance to businesses on how to inform employees of the incident and additional steps businesses may take. See Data Breach Response: A Guide for Business.
4. Share IRS Publication 4524 PDF, Security Awareness for Taxpayers, with your employeesIf a business receives a phishing email but have not fallen for the scam the email should be reported to the IRS and the FBI.
   

   How to report receiving the W-2 phishing email

   If your business received the email but did NOT fall victim to the scam, forward the email to the IRS. The IRS needs the email header from the phishing email for its investigation, which means you must do more than just forward the email to phishing@irs.gov. Here is what to do with the W-2 email scam:

5. The email headers should be provided in plain ASCII text format. Do not print and scan.
6. Save the phishing email as an email file on your computer desktop.
7. Open your email and attach the phishing email file you previously saved.
8. Send your email containing the attached phishing email file to phishing@irs.gov. Subject Line: W2 Scam. Do not attach any sensitive data such as employee SSNs or W-2s.
9. File a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.

In conclusion, The IRS does not initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. Any contact from the IRS will be in response to a contact initiated by you. Cybercriminals, when they learn of a new IRS process, often create false IRS web sites and IRS impersonation emails. Businesses should make ongoing cybersecurity training part of their security framework to minimize these types of scams being successful.

To read the entire IRS update and others you may click here Form W-2 Scam and Data Theft

Scott Cooper is the President of Tower 23 IT, an IT outsource solution for small to medium businesses specializing in protecting client health and financial data to meet privacy, compliance and security requirements in the healthcare, legal, financial, real estate and insurance industries. Scott can be reached at scottc@Tower23IT.com or 858.877.6219.