Find Your Specialist


Contact Us

    Go Back

    W-2 Scam Lures Businesses into Releasing Employee Information

    The IRS has issued a dire warning to businesses and nonprofits—don’t respond to e-mail requests for employee information without confirming the source—even if the request comes from within your own company. Here’s why. In the latest scams, an HR staffer gets an email from a business executive at the company requesting a list of all employees and their W-2s. The employee assembles the information and transmits it promptly to the boss. The problem is that the email is not really from the business executive but instead is from a cybercriminal who is impersonating a company executive’s email address. The criminals then use the information to immediately file fraudulent tax returns that mirror the actual income received by employees – making the fraud more difficult to detect. Fraudsters also will try to trick an employee into transferring funds into a specified account with these executive emails.

    Business Email Compromise Widespread

    This type of fraud has been deemed “business email compromise” or BEC and is one of the most dangerous phishing schemes trending nationwide. The number of businesses, nonprofits, and other institutions victimized by the W-2 scam increased from 50 in 2016 to 200 in 2017. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen, according to the IRS. Compromised Forms W-2 give the thieves access to an employee’s name, address, Social Security number, income and exact tax withholding amounts. The culprits behind these scams are national and international organized crime groups who have targeted businesses and organizations in all 50 states and 100 countries worldwide.

    What Victims Can Do

    The best thing to do if your company is a victim is to promptly notify the IRS so it can take steps to help prevent employees from being victims of tax-related identity theft. The IRS has an email notification address specifically for businesses and organizations to report W-2 thefts: dataloss@irs.gov. Be sure to include “W-2 scam” in the subject line and contact information in the body of the email. Businesses and organizations that receive a suspect email can forward it to phishing@irs.gov, with “W-2 scam” in the subject line.

    Protecting Businesses from BECs

    Employers should review their policies for sending sensitive data such as W-2s or for making wire transfers based solely on an email request—even one that appears to come from within the company. Here are some steps your company can implement to guard against W-2 scams:

    • Confirm requests for W-2s, wire transfers or any sensitive data exchanges verbally, using known company phone numbers, not telephone numbers listed in the email.
    • Verify requests for location changes in vendor payments and require a secondary sign-off by company personnel.
    • Educate employees about this scam, particularly those with access to sensitive data such as W-2s and those with authorization to make wire transfers.
    • Consult with an IT professional and follow these FBI-recommended safeguards:
      • Create intrusion detection system rules that flag e-mails with extensions that are similar to company email. For example, legitimate e-mail of abc_company.com would flag fraudulent email of abc-company.com.
      • Create an email rule to flag email communications where the “reply” email address is different from the “from” email address shown.
      • Color code virtual correspondence so emails from employee/internal accounts are one color and emails from non-employee/external accounts are another.

    If a business email compromise incident happens at your company, you also can file a complaint with the FBI at the Internet Crime Complaint Center (IC3.)

    Related Articles

    • 01.25.2023

      A New Year Means New Privacy Laws

      Ever since the General Data Protection Regulation (GDPR) came into effect in May 2018, US state privacy laws have been passed in Virginia, Colorado, Connecticut, Utah and, most pressing of them all, California. The California Privacy Rights Act (CPRA) went…

      Continue Reading
    • 01.19.2023

      The New Rules Under Section 174

      Internal Revenue Code Section 174 has long been used by taxpayers to deduct certain expenses related to research and experimentation (R&E) in the current year.  The code section was originally enacted in 1954 to eliminate uncertainty in the tax accounting…

      Continue Reading
    • 12.20.2022

      IRS Customer Service May Improve in 2023

      With 4,000 new customer service representatives and plans to hire 700 new Taxpayer Assistance Center (TAC) employees, taxpayers soon may get relief from endless hold times, no in-person help and unresolved problems.

      Continue Reading
    • 12.12.2022

      Reduce Taxable Income with IRA Distributions Transfers

      IRA owners who are age 70½ or over can transfer up to $100,000 per year to charity to reduce their taxable income. These transfers, known as qualified charitable distributions or QCDs, offer end-of-the year tax savings and can count toward required minimum distributions (RMDs) that taxpayers who are age 72 must make each year. Think of it as a tax-free charitable rollover of IRA funds.

      Continue Reading
    • 12.02.2022

      UK R&D Tax Reliefs – Where Are We Now?

      In the November 2022 Autumn Statement, the Chancellor announced significant changes to the current Research and Development (R&D) tax reliefs. The key announcements were a change to the applicable rate of the Research and Development Expenditure Credit (RDEC) and a…

      Continue Reading
    • 12.01.2022

      1099s Required for 2022 Tax Year

      Taxpayers earning income from selling goods or providing services may receive a Form 1099-K, Payment Card and Third-Party Network Transactions, for the first time in early 2023, when the 2022 forms are due. The requirement to file Forms 1099 have…

      Continue Reading
    • 11.28.2022

      IRS Uncovers $3.1 Billion in COVID Fraud

      The IRS Criminal Investigation department (IRS-CI) has partnered with the Justice Department to uncover and prosecute fraudulent activities related to the federal government’s COVID relief programs. To date, the IRS has conducted 840 investigations involving fraud amounts totaling more than…

      Continue Reading
    • 10.25.2022

      IRS Inflation Reduction Act Increases Funds

      The Inflation Reduction Act of 2022, enacted in August, increased funding for the IRS by $80 billion through 2031 for enforcement activities, operations support, systems modernization and taxpayer services. The legislative language, Treasury Secretary Janet Yellen and IRS Commissioner Charles…

      Continue Reading

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled