Find Your Specialist


Contact Us

    Go Back

    W-2 Scam Lures Businesses into Releasing Employee Information

    The IRS has issued a dire warning to businesses and nonprofits—don’t respond to e-mail requests for employee information without confirming the source—even if the request comes from within your own company. Here’s why. In the latest scams, an HR staffer gets an email from a business executive at the company requesting a list of all employees and their W-2s. The employee assembles the information and transmits it promptly to the boss. The problem is that the email is not really from the business executive but instead is from a cybercriminal who is impersonating a company executive’s email address. The criminals then use the information to immediately file fraudulent tax returns that mirror the actual income received by employees – making the fraud more difficult to detect. Fraudsters also will try to trick an employee into transferring funds into a specified account with these executive emails.

    Business Email Compromise Widespread

    This type of fraud has been deemed “business email compromise” or BEC and is one of the most dangerous phishing schemes trending nationwide. The number of businesses, nonprofits, and other institutions victimized by the W-2 scam increased from 50 in 2016 to 200 in 2017. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen, according to the IRS. Compromised Forms W-2 give the thieves access to an employee’s name, address, Social Security number, income and exact tax withholding amounts. The culprits behind these scams are national and international organized crime groups who have targeted businesses and organizations in all 50 states and 100 countries worldwide.

    What Victims Can Do

    The best thing to do if your company is a victim is to promptly notify the IRS so it can take steps to help prevent employees from being victims of tax-related identity theft. The IRS has an email notification address specifically for businesses and organizations to report W-2 thefts: dataloss@irs.gov. Be sure to include “W-2 scam” in the subject line and contact information in the body of the email. Businesses and organizations that receive a suspect email can forward it to phishing@irs.gov, with “W-2 scam” in the subject line.

    Protecting Businesses from BECs

    Employers should review their policies for sending sensitive data such as W-2s or for making wire transfers based solely on an email request—even one that appears to come from within the company. Here are some steps your company can implement to guard against W-2 scams:

    • Confirm requests for W-2s, wire transfers or any sensitive data exchanges verbally, using known company phone numbers, not telephone numbers listed in the email.
    • Verify requests for location changes in vendor payments and require a secondary sign-off by company personnel.
    • Educate employees about this scam, particularly those with access to sensitive data such as W-2s and those with authorization to make wire transfers.
    • Consult with an IT professional and follow these FBI-recommended safeguards:
      • Create intrusion detection system rules that flag e-mails with extensions that are similar to company email. For example, legitimate e-mail of abc_company.com would flag fraudulent email of abc-company.com.
      • Create an email rule to flag email communications where the “reply” email address is different from the “from” email address shown.
      • Color code virtual correspondence so emails from employee/internal accounts are one color and emails from non-employee/external accounts are another.

    If a business email compromise incident happens at your company, you also can file a complaint with the FBI at the Internet Crime Complaint Center (IC3.)

    Related Articles

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled

    Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.

    Functionality cookies are cookies that support features of the Site, such as remembering your preferences.

    These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.

    From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.