Email scams targeting employee W-2 forms increased fourfold from 2016 to 2017, according to the IRS.
This year, the number of businesses, public schools, universities, tribal governments and nonprofit organizations victimized by W-2 scams increased to 200 from 50 last year, the agency said. Although the number may seem small, W-2 thefts at those 200 employers translated into several hundred thousand employees whose sensitive data were stolen, the IRS said.
In fact, earlier this year, the FBI said that there has been a 1,300% increase in identified losses — with more than $3 billion in wire transfers — since January 2015.
“These are incredibly tricky schemes that can be devastating to a tax professional or business,” IRS Commissioner John Koskinen said in a statement. “Cybercriminals target people with access to sensitive information, and they cleverly disguise their effort through an official-looking email request.”
In a W-2 scam, a cybercriminal impersonates a company or organization executive’s email address and targets a payroll, financial or human resources employee with a request. In some cases, the fraudsters will try to trick an employee into transferring funds into a specified account via a wire transfer or will request a list of all employees and their W-2 forms.
National and international organized crime groups are behind the scams, according to the FBI, and those groups have targeted businesses and organizations in all 50 states and 100 countries worldwide.
W-2s contains employees’ names, addresses, Social Security numbers, income and withholding amounts. That information can be used to file fraudulent tax returns or can be posted for sale on the internet.
The IRS shares three tips for employers regarding W-2 scams:
Businesses and organizations affected by W-2 theft can report it to the IRS at firstname.lastname@example.org. Include “W-2 scam” in the subject line, and in the body of the email include company contact information.
Businesses and organizations that receive suspicious emails but do not fall victim to a scam can forward the email to email@example.com with “W-2 scam” in the subject line.
The IRS recommends that employers review their policies for sending sensitive data such as W-2 forms and making wire transfers based solely on email requests.