As we countdown to tax day, managers need to be alert to particularly effective W-2 tax phishing scams targeting Human Resource and Finance managers. An IRS alert issued last month warns that the scam “has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits.” The IRS notes that it is particularly dangerous because it can result in large-scale data theft that can lead to various crimes, including tax refund interception.
The IRS explains how the scam works:
“Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).”
Doesn’t sound like something you’d fall for? Don’t be so sure. Security expert Brian Krebs reports on a recent example of W2 phishing that successfully penetrated a Virginia cyber-security firm, that was forced to alert current and former employees that all the highly-detailed and sensitive data in their W2 forms had been exposed. Yikes.
Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.
Both the linked IRS and Krebs article include tips for tax scam avoidance/response. Here are some other resources:
- How to Stop, and Respond to, Tax-Related Identity Fraud Aimed at Your Organization’s Employees
- Stopping Scammers from Phishing HR and Payroll Personnel for W-2s and Other Private Employee Data
In addition to alerting your HR and finance staff to prevent this type of tax fraud, you might consider issuing safety advice to your employees. Pressured last-minute filers can be particularly susceptible to scams and shortcuts. Popular scams offer to help filers get refunds faster. In addition to email and phishing scams, fraudsters pose as IRS staff in bullying phone calls that demand immediate payment, threatening dire consequences. One great resource to stay on top of cyber security threats is Naked Security, a blog sponsored by IT security firm, Sophos. They offer an article with good rundown of common tax scams.Watch out for phishing scams when preparing your tax return.