W-2 Phishing Email Scam Spreads to Not-for-Profit Organizations
February 8, 2017 - By: SC&H Group
The following blog post from SC&H Group’s Tax Services team discusses the latest developments regarding a corporate W-2 phishing scam, allowing organizations to recognize phishing signs, take preventative action, and mitigate present and future risks.
In today’s technology-driven environment, hacking, malware, and other cybercrimes pose significant risks to not-for-profit (NFP) organizations. Such is the case with the Form W-2 phishing email scam, which is now targeting numerous school districts, tribal organizations, chain restaurants, temporary staffing agencies, healthcare, and shipping and freight companies across the country.
The IRS and various state tax agencies recently issued an alert to employers, noting that the corporate scam is spreading and circulating early this tax season. Even worse, it is evolving. While the scam was first seen last year, this year’s email is being followed by a second email that requests a wire transfer, leaving organizations vulnerable to even larger scale thefts of sensitive financial and tax information.
How the Scam Works, with a Twist
In the Form W-2 scam, cybercriminals use various spoofing techniques to disguise emails as if they were from organization executives. The emails are sent to payroll and human resources departments requesting a list of employees and their respective W-2s.
In this year’s version, the scam includes a new twist that can maximize the amount of information and money that cybercriminals can steal from organizations. Soon after the initial W-2 email arrives, cybercriminals send another executive email to payroll or a comptroller asking for a wire transfer of a specific amount. While this second email does not steal tax information, the combination of it and the first email can cost companies the security of their employees’ personal information—and thousands of dollars.
Further, these scams can have larger consequences for data security in the future. Cybercriminals can use the sensitive data they steal to commit other crimes, such as filing fraudulent tax returns. Also, as the IRS, state tax agencies, and other tax professionals enact safeguards to identify these fraudulent returns through various e-Services, cybercriminals may send emails to e-Services users asking them to update their accounts, thereby giving the cybercriminal access to the users’ IRS credentials.
Measures NFP Organizations Can Take to Mitigate Risk
To raise awareness and help employees take proper action, NFP organizations and other affected sectors should share information about these scams with their payroll, finance, and human resources departments. Organizations should also consider creating internal policies regarding the distribution of employee W-2 information and processes for wire transfer approvals.
If one or more of your employees receive the W-2 email scam, the IRS recommends completing the following actions:
- Forward the email to firstname.lastname@example.org and place “W-2 Scam” in the subject line. The IRS can take steps to help protect employees from tax-related identity theft.
- File a complaint with the Internet Crime Complaint Center operated by the Federal Bureau of Investigation.
- File Form 14039, Identity Theft Affidavit, if the employee’s tax return gets rejected because of a duplicate Social Security number or if instructed to by the IRS.
- Be alert when using search engines to find technical help with taxes or tax software. The wrong tech support link can lead to data loss or an infected computer. Tech support will not randomly call users.
- In addition, NFP organizations can work with experienced tax and consulting professionals to identify W-2 phishing email signs, mitigate areas of risk, and help create secure internal processes for handling W-2 forms, filing tax returns, and completing wire transfers.
To learn more about the latest scam developments and ways to reduce risk, contact SC&H Group’s Tax Services, Risk Management Services, and IT Advisory Services teams here.