Businesses of all sizes should be alert for a growing scheme in which identity thieves attempt to steal personal information on company employees by accessing their W-2 forms. This sensitive data is highly valued by cyber criminals. Small businesses who may not have dedicated HR or payroll staffs are particularly vulnerable to this scam.
Here is how scammers are typically attempting to access W-2 data:
- A company’s bookkeeper or HR department manager receives an email that appears to be from the business owner or other senior executive. But the email is actually a “spoofed” message from a cyber thief.
- The email looks genuine, often opening with a friendly greeting to put the recipient at ease. The cyber criminals take advantage of the trusting nature of people but also make sure the email appear to have come from an executive to the lower level employee.
- The fake executive requests that copies of W-2 forms for some or all employees be forwarded via email. An unaware or unalert bookkeeper or HR staffer is often quick to comply.
- Cyber criminals immediately have detailed personal data about dozens or hundreds of the company’s employees.
- It often takes weeks before anyone at the company realizes that the correspondence was spoofed – too late to prevent the thieves from using or selling the stolen data.
- One use of stolen W-2 data is filing fraudulent tax returns to collect refunds. This causes all kinds of delays and problems for the employee when he or she files a genuine tax return.
This scam has become so prevalent that the Internal Revenue Service (IRS) has set up a dedicated process for reporting attempts to access W-2 data. Here is how you should respond if you suspect you have been the subject of a W-2 scam:
- Email email@example.com to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type “W2 Data Loss” so that the email can be routed properly. The business should not attach any employee personally identifiable information data.
- Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
- File a complaint with the FBI’s Internet Crime Complaint Center. Businesses and payroll service providers may be asked to file a report with their local law enforcement agency.
- Notify employees. The employee may then take steps to protect themselves from identity theft. The Federal Trade Commission’s www.identitytheft.gov provides guidance on general steps employees should take.
- Forward the scam email to firstname.lastname@example.org.
- Contact your attorneys immediately.
Cyber criminals are becoming increasingly more sophisticated in their methods. This scam takes advantage of the trusting nature of people who work together to steal valuable information. Anyone who manages or has access to employee information should be made aware of this dangerous scam.
For more information on protecting your company from cyber attack please contact us at (781) 407-0300.