The Internal Revenue Service (IRS) recently issued an urgent alert regarding a dangerous W-2 phishing scam that is targeting employers across a wide variety of sectors, including everything from businesses to schools to tribal organizations. Not only is this type of fraud becoming widespread, but there is also a unique twist to this scheme, designed to further compound the potential injury. After fraudulently obtaining the W-2 information, scammers send an immediate follow-up requesting a wire transfer of funds.
When a company falls victim to this scam, not only do their employees face the possibility of tax fraud from the stolen W-2 forms, but the company also loses funds from the fraudulent wire transfer. It is a double whammy, and according to the IRS, it has already affected hundreds of organizations. Scams related to tax forms are not a new problem – in fact, the IRS has been warning businesses and consumers alike for several years of criminal efforts to acquire employee information in order to hijack tax refunds (among other frauds).
At its core, this latest scheme is a targeted phishing scam that employs social engineering techniques to deceive the recipient into thinking the requests are valid by using specific, credible information about the sender. In this case, the scammer sends a legitimate-looking email (usually from the CEO or other executive of the company) to HR, payroll, or accounting. The email typically heightens the recipient’s sense of urgency to ensure quick action, and it is proving to be quite effective.
Basic guidelines to help employees spot a scam
- Any email directing an employee to violate standard policies and procedures for information sharing is a red flag that could indicate it is a phishing email.
- Any email that directs someone to send or share sensitive information—passwords, W-2 forms, employee personally identifiable information (PII)—through an external website, phone number, or email address is a major red flag.
- Scammers’ requests for information are not isolated to email—they could use a phone call or a fax. The same rules apply; be wary of any request for sensitive information or wire transfer that is unusual, urgent, or does not follow regular policies or procedures.
Best practices for fighting W-2 and wire transfer phishing attempts
- Require employees to independently verify any type of request for sensitive information that does not follow regular procedures. At a minimum, they should be directed to call their internal colleague (or the vendor or bank, if it is an external request) directly to confirm the request.
- When the IRS issues an alert or when scams like these are reported in the media or through industry bulletins, convey that information to employees immediately so they understand what social engineering attacks look like and can spot them more quickly. Insist employees report any phishing attempt—whether by email, phone, or fax—as a security incident. The attempt should be escalated according to policy, usually to the company’s security management team. Just making everyone aware that an attack was attempted can help employees stay alert.
- Provide regular employee training on policies and procedures for secure data handling to ensure they understand the process.
- Stress that senior executives will never make requests that deviate from these policies and procedures.
Finally, it is important to keep in mind that while this particular phishing scam is targeting employees in HR or payroll, no department is immune. Phishing scams can easily hit a broad range of people in an organization. In many cases, email scams contain malware disguised as a simple file attachment or document link. Clicking on them infects the company’s computer system, giving the scammer access to sensitive information, user credentials, etc., to perpetrate all sorts of fraud.
With proper training and robust protocols governing data sharing, your employees can gain the knowledge needed to quickly detect and escalate these attempts to steal organizational information or funds. Educated employees who are on alert to fraud are your first—and often best—line of defense against cybercriminals.
IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.