The IRS has issued a dire warning to businesses and nonprofits—don’t respond to e-mail requests for employee information without confirming the source—even if the request comes from within your own company. Here’s why. In the latest scams, an HR staffer gets an email from a business executive at the company requesting a list of all employees and their W-2s. The employee assembles the information and transmits it promptly to the boss. The problem is that the email is not really from the business executive but instead is from a cybercriminal who is impersonating a company executive’s email address. The criminals then use the information to immediately file fraudulent tax returns that mirror the actual income received by employees – making the fraud more difficult to detect. Fraudsters also will try to trick an employee into transferring funds into a specified account with these executive emails.
Business Email Compromise Widespread
This type of fraud has been deemed “business email compromise” or BEC and is one of the most dangerous phishing schemes trending nationwide. The number of businesses, nonprofits, and other institutions victimized by the W-2 scam increased from 50 in 2016 to 200 in 2017. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen, according to the IRS. Compromised Forms W-2 give the thieves access to an employee’s name, address, Social Security number, income and exact tax withholding amounts. The culprits behind these scams are national and international organized crime groups who have targeted businesses and organizations in all 50 states and 100 countries worldwide.
What Victims Can Do
The best thing to do if your company is a victim is to promptly notify the IRS so it can take steps to help prevent employees from being victims of tax-related identity theft. The IRS has an email notification address specifically for businesses and organizations to report W-2 thefts: email@example.com. Be sure to include “W-2 scam” in the subject line and contact information in the body of the email. Businesses and organizations that receive a suspect email can forward it to firstname.lastname@example.org, with “W-2 scam” in the subject line.
Protecting Businesses from BECs
Employers should review their policies for sending sensitive data such as W-2s or for making wire transfers based solely on an email request—even one that appears to come from within the company. Here are some steps your company can implement to guard against W-2 scams:
- Confirm requests for W-2s, wire transfers or any sensitive data exchanges verbally, using known company phone numbers, not telephone numbers listed in the email.
- Verify requests for location changes in vendor payments and require a secondary sign-off by company personnel.
- Educate employees about this scam, particularly those with access to sensitive data such as W-2s and those with authorization to make wire transfers.
- Consult with an IT professional and follow these FBI-recommended safeguards:
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company email. For example, legitimate e-mail of abc_company.com would flag fraudulent email of abc-company.com.
- Create an email rule to flag email communications where the “reply” email address is different from the “from” email address shown.
- Color code virtual correspondence so emails from employee/internal accounts are one color and emails from non-employee/external accounts are another.
If a business email compromise incident happens at your company, you also can file a complaint with the FBI at the Internet Crime Complaint Center (IC3.)