Watch Out for W-2 Phishing Scams

W-2 phishing scams are increasing and the number of businesses that have been victimized is escalating. These frauds are a variation on traditional phishing scams, where criminals trick email users into providing confidential information and then use that information to steal money or the victim’s identity.

How it works

In a W-2 phishing scam, cybercriminals send emails to employees claiming to be from company management (typically payroll, benefits or human resources). In the emails the criminals request a list of employees along with their W-2 forms, social security numbers and/or other classified information.

The highly sophisticated criminals use techniques known as business email compromise or business email spoofing, thus giving the correspondence a legitimate look. Many emails actually contain the company’s logo and names of real executives (that the scammers obtained online). The emails contain expert wording such as, “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”

If the employee responds to the phishing email, the thieves will file fraudulent tax returns in the employees’ names, using the stolen confidential information. The ultimate goal is to claim their refunds first.

Education is key

The IRS recently issued an alert urging employers to inform payroll and other employees about the dangers of W-2 phishing scams. Make sure all your workers are educated on the scams, especially those who handle sensitive data. Instruct your employees not to click on links or download attachments from emails that are unsolicited, sent from addresses they don’t recognize or that seem suspicious in any way.

Naturally employees can be apprehensive about questioning a request that on the surface appears to come from upper management. Just urge them to double-check any email requesting sensitive information, no matter who appears to be making it. Remind them not to respond to the email in question but to first talk to a supervisor or colleague.

Don’t fall victim

Use technology to your advantage – install robust antivirus and spam filters and keep them updated.

With the correct preventive measures in place, your business can reduce the risk of falling prey to W-2 phishing scams. Should your business be attacked, report it to dataloss@irs.gov immediately. Please call us at 949-860-9902 for more information or click here to contact us.