It’s not even on the IRS’s list of top 12 tax scams. It’s not frequently talked about in conversations regarding identity theft and fraud. But W-2 fraud is a growing threat, and it affects all businesses. In the 2017 filing season, 100 employers in the first 10 weeks were affected, which put about 120,000 employees at risk.
W-2 fraud is also known as business email compromise (BEC) or business email spoofing (BES). Identity thieves consider the information contained in W-2s to be extremely valuable, and their efforts to dupe entire organizations are sophisticated and technologically advanced.
How Does W-2 Fraud Work?
What makes this type of fraud so difficult to catch is that it originates as an email from a company executive. Fraudsters first imitate the boss’s email address, then use it to contact someone in payroll or human resources. Fraudulent emails usually begin with a simple greeting and question, and then the scammer, posing as the executive, requests payroll data or W-2s for all employees. Once the attachment is sent, it only takes one or two days for the fraudster to file fake returns and steal other information. And it can take weeks to detect, since the original email appeared to be from someone trustworthy inside the organization.
Protecting Against W-2 Fraud
There might already be policies in place to protect against W-2 fraud; it’s just a matter of following them. For example, sending sensitive attachments via email may be prohibited. If it’s not, consider implementing it. This goes for requests for passwords or bank account numbers, too.
Always ask in person before complying with a request for financial information over email. And encourage employees to question requests for employee or financial data over email, no matter who it comes from. Verifying a request takes only a moment and is an easy step to prevent potential fraud.
Make sure HR and payroll employees are informed about the way W-2 fraud works and what the risks are. Training sessions for employees should focus on identifying phishing scams and cyber security threats. And consider either limiting access to the types of files that could be used in fraud, requiring two-step authentication or limits on what files can be sent electronically, or both.
What to Do Next
If you suspect your business’s W-2 data was stolen, the IRS recommends taking the following actions.
- First, email dataloss@irs.gov to report the W-2 theft. Use “W-2 Data Loss” in the subject line and do not include any attachments. You should include this list of information:
- Business name
- Business EIN associated with the data loss
- Contact name and number
- Summary of how the data loss occurred
- Volume of employees impacted
- Then, email the Federation of Tax Administrators at StateAlert@taxadmin.org to begin the process of reporting victim information to states.
- Next, log a complaint with the FBI’s Internet Crime Complaint Center. This may also coincide with filing a police report in your local jurisdiction.
- Later, forward the scam email to phishing@irs.gov.
Finally, notify employees. Employees can be affected by anything from fraudulent returns to stolen personal information, so timing is critical. At a minimum, instruct your employees to file a fraud alert or credit freeze with one of the credit reporting agencies. Specific recovery steps vary according to the type of fraud that was perpetrated and can include contacting individual vendors, credit card companies, debt collection agencies, and law enforcement agencies, to both report the crime and get cleared of any fraudulent criminal charges, if applicable. The site www.identitytheft.gov has a list of steps and recovery plans to help individuals affected by fraud.
Tax fraud is at an all-time high this time of year. Stay vigilant and always contact your CPA with any questions or concerns. Naden/Lean’s tax team can be reached here anytime.