W-2 phishing scam targets consumers' tax refunds. Employers urged to limit access to employees' tax records

  • Share:
January 29, 2018

Small Business owners have enough to worry about and now let's add a potential scam to the mix. Here's another scam to worry about. From the ConsumerAffairs:

The Internal Revenue Service (IRS) is warning employers to be on guard against the Form W-2 phishing scam as tax season gets underway.

The scheme defrauded thousands of taxpayers and hundreds of organizations last year, and the tax agency worries it will be worse this year. It calls the W-2 scam "one of the most dangerous phishing emails in the tax community."

Unlike most scams, which take a widespread approach and target as many potential victims as possible, the Form W-2 scam is much more narrowly focused.

Cybercriminals identify a target -- a large company or organization -- then conduct research to learn the names of those in charge of payroll or personnel files.

They then assume the identity of one of the organization's top executives, spoof their email account, and request copies of Form W-2 for all employees from an unsuspecting payroll officer. For an identity thief, this form is solid gold.

Everything an identity thief needs

A W-2 contains an employee’s name, address, Social Security number, income, and withholdings. It's all the information a criminal needs to file a fake tax return and have the refund transferred directly to themselves.

A criminal might file hundreds of fake returns to collect refunds or post the information for sale to other criminals on the Dark Web.

The IRS is doing more than trying to educate employers about the scam. It is urging all companies and organizations to limit the number of people who can gain access to this information.

Compounding matters is the fact that criminals filing bogus tax returns, using stolen Social Security numbers, has been a growing problem over the last few years. Now that the IRS has established ways to help identify made-up tax returns, thieves have jumped ahead and tried getting their hands on the actual tax documents.

Policy change may be needed

The IRS says employers need to exercise greater caution in handling employee tax records and thoroughly check out all requests for information before they provide it.

Taxpayers can reduce their chances of being victims by filing their federal tax return as soon as possible. If a scammer files a return in that taxpayer's name later using stolen data, the IRS can instantly recognize it as a fake.

If an employer recognizes that it has been victimized, it should notify the IRS immediately. The agency can then take steps to reduce the chances that employees will become victims.

Employers should notify the IRS using the email dataloss@irs.gov. In the subject line, type "W2 Data Loss."

I don't want to spend time and money 'fixing' my identity after a breach. How About You? Press here for more information on our IDShield plan.

And remember, over 50% of all identity theft will result in a legal issue. Press here to learn more about our legal plans.

For all you free-lance entrepreneurs check out SHAKE. Where you can create binding documents on the fly.

Have you ever needed a quick answer to a legal question? With Ask LegalShield, you now have access to over 1,200 commonly asked legal questions and answers right in your pocket and it's free!

Phil Liso, Contact
(562) 322-7376