As if tax season isn’t bad enough.
The IRS has issued a new warning to prompt greater awareness and suspicion of unsolicited requests for employee W2s. Unfortunately, there has been a rash of phishing incidents nationwide, with cybercriminals receiving unfettered access to employee social security numbers and other identification information found on W2s.
The scam is really quite simple: the thieves pose as company executives and send authentic looking emails requesting a file of all employee W2s. The IRS notes the use of these or similar lines within the email:
- Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
Payroll and human resource departments, already stretched by the legitimate requirements of the tax season, simply comply—and with the click of a mouse, the identities of hundreds or thousands of employees are suddenly exposed. The criminals then file taxes under these employee names, but redirect returns to their own accounts.
Across the U.S., companies are just now discovering the data loss after their own employees have tax filings denied because the IRS has already processed a return under their name. Our hope is that by sharing this IRS warning now, we can help other companies avoid falling prey. Of course, phishing isn’t limited to tax season, so we recommend recurring employee reminders to investigate and confirm the authenticity of any requests made, internally or externally, for sensitive identity or financial information. As always, if you have any questions about cybersecurity or recommended protection measures, please contact your MJ consultant or Aaron Shields at 317-805-7500 or firstname.lastname@example.org.