Posts

The IRS, state tax agencies and private-sector tax groups warned the nation’s business, payroll and human resource communities about a growing W-2 email scam that threatens sensitive tax information held by employers.

These emails may start with a simple, “Hey, you in today?” and, by the end of the exchange, all of an organization’s Forms W-2 for their employees may be in the hands of cybercriminals. This puts workers at risk for tax-related identity theft.

The W-2 scam has emerged as one of the most dangerous and successful phishing attacks as hundreds of employers and tens of thousands of employees fell victim to the scheme in the past year. This scam is such a threat to taxpayers that a special IRS reporting process has been established.

The Internal Revenue Service, state tax agencies and the tax community — partners in the Security Summit — are marking “National Tax Security Awareness Week” with a series of reminders to taxpayers and tax professionals. In part four, the topic is the W-2 scam.

Because the Security Summit partners have successfully made inroads into stopping stolen identity refund fraud, criminals now need more information to file a fraudulent return. That means they need more accurate data about taxpayers, causing them to target tax practitioners, payroll professionals and employers. The Form W-2 contains income and withholding information necessary to file a tax return.

All employers are at risk. In 2017, the W-2 scam made victims of businesses large and small, public schools and universities, as well as tribal governments, charities and hospitals. The scam, which grows larger each year, will likely make the rounds again in 2018.

The Security Summit warns employers – in public and private sectors – to beware of this scheme and to educate employees, especially those in human resources and payroll departments who are often the first targets.

This is an example of a business email compromise or business email spoofing in which the thief poses as a company executive, school official or someone of authority within the organization. The crook will send an email to one employee with payroll access, requesting a list of all employees and their Forms W-2. The thief may even specify the format in which he wants the information. The subject line has hundreds of variations along the lines of “review,” “manual review” or “request.”

Because payroll officials believe they are corresponding with an executive, it may take weeks for someone to realize a data theft has occurred. Generally, the criminals are trying to quickly take advantage of their theft, sometimes filing fraudulent tax returns within a day or two.

Because of the W-2 scam’s threat to tax administration for both federal and state governments, a special reporting process has been established to quickly alert the IRS and state tax agencies. Detailed reporting steps may be found at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.

Here’s an abbreviated list of how to report these schemes:

  • Email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.
  • Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
  • Businesses/payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center (IC3.gov). Businesses/payroll service providers may be asked to file a report with their local law enforcement agency.
  • Notify employees so they may take steps to protect themselves from identity theft. The Federal Trade Commission’s www.identitytheft.gov provides guidance on general steps employees should take.
  • Forward the scam email to phishing@irs.gov.

Employers are urged to put steps and protocols in place for the sharing of sensitive employee information such as Forms W-2. One example would be to have two people review any distribution of sensitive W-2 data or wire transfers. Another example would be to require a verbal confirmation before emailing W-2 data. Employers also are urged to educate their payroll or human resources departments about these scams.

As part of the Security Summit effort, the IRS, state tax agencies and the tax industry working together to fight against tax-related identity theft and to protect taxpayers. Everyone can help. Be alert and guard against the W-2 scam.

Taxpayers are also encouraged to visit the “Taxes. Security. Together.” awareness campaign or review IRS Publication 4524, Security Awareness for Taxpayers, to learn more.

Source: https://www.irs.gov/newsroom/national-tax-security-awareness-week-no-4-employers-payroll-officials-avoid-the-w-2-email-scam

With the approach of the holidays and the 2018 filing season, the IRS, state tax agencies and the nation’s tax industry urge people to be on the lookout for new, sophisticated email phishing scams that could endanger their personal information and next year’s tax refund.

The most common way for cybercriminals to steal bank account information, passwords, credit cards or Social Security numbers is to simply ask for them. Every day, people fall victim to phishing scams that cost them their time and their money.

Those emails urgently warning users to update their online financial accounts – they’re fake. That email directing users to download a document from a cloud-storage provider? Fake. Those other emails suggesting the recipients have a $64 tax refund waiting at the IRS or that the IRS needs information about insurance policies – also fake. So are many new and evolving variations of these schemes.

The Internal Revenue Service, state tax agencies and the tax community — partners in the Security Summit — are marking “National Tax Security Awareness Week” with a series of reminders to taxpayers and tax professionals. In part two, the topic is avoiding phishing scams.

Phishing attacks use email or malicious websites to solicit personal, tax or financial information by posing as a trustworthy organization. Often, recipients are fooled into believing the phishing communication is from someone they trust. A scam artist may take advantage of knowledge gained from online research and earlier attempts to masquerade as a legitimate source, including presenting the look and feel of authentic communications, such as using an official logo. These targeted messages can trick even the most cautious person into taking action that may compromise sensitive data.

The scams may contain emails with hyperlinks that take users to a fake site. Other versions contain PDF attachments that may download malware or viruses.

Some phishing emails will appear to come from a business colleague, friend or relative. These emails might be an email account compromise. Criminals may have compromised your friend’s email account and begin using their email contacts to send phishing emails.

Not all phishing attempts are emails – some are phone scams. One of the most common phone scams is the caller pretending to be from the IRS and threatening the taxpayer with a lawsuit or with arrest if payment is not made immediately, usually through a debit card.

Phishing attacks, especially online phishing scams, are popular with criminals because there is no fool-proof technology to defend against them. Users are the main defense. When users see a phishing scam, they should ensure they don’t take the bait.

Here are a few steps to take:

  • Be vigilant; be skeptical. Never open a link or attachment from an unknown or suspicious source. Even if the email is from a known source, approach with caution. Cybercrooks are adept at mimicking trusted businesses, friends and family. Thieves may have compromised a friend’s email address or they may be spoofing the address with a slight change in text, such as name@example.com vs narne@example.com. In the latter, merely changing the “m” to an “r” and “n” can trick people.
  • Remember, the IRS doesn’t initiate spontaneous contact with taxpayers by email to request personal or financial information. This includes text messages and social media channels. The IRS does not call taxpayers with threats of lawsuits or arrests. No legitimate business or organization will ask for sensitive financial information via email. When in doubt, don’t use hyperlinks and go directly to the source’s main web page.
  • Use security software to protect against malware and viruses. Some security software can help identity suspicious websites that are used by cybercriminals.
  • Use strong passwords to protect online accounts. Each account should have a unique password. Use a password manager if necessary. Criminals count on people using the same password repeatedly, giving crooks access to multiple accounts if they steal a password. Experts recommend a password have a minimum of 10 digits, including letters, numbers and special characters. Longer is better.
  • Use multi-factor authentication when offered. Some online financial institutions, email providers and social media sites offer multi-factor protection for customers. Two-factor authentication means that in addition to entering your username and password, you must enter a security code generally sent as a text to your mobile phone. Even if a thief manages to steal usernames and passwords, it’s unlikely the crook would also have a victim’s phone.

The IRS, state tax agencies and the tax industry are working together to fight against tax-related identity theft and to protect taxpayers. Everyone can help. Visit the “Taxes. Security. Together.” awareness campaign or review IRS Publication 4524, Security Awareness for Taxpayers, to learn more.