Now that tax season has ended in the U.S., you might be tempted to think that tax-related scams will let up until next year. Guess again.
W-2 scams are a year-round threat. While tax time makes them particularly attractive to scammers, the threat continues to be strong throughout April and May. According to recent research from Bitsight, W-2 phishing scams spike sharply upwards from February through May, only becoming more sporadic from July through January.
The W-2 scam is a particularly pernicious form of email-based fraud. In this kind of scam, fraudsters pose as the CEO or another senior executive of a company, sending an email to the CFO or someone in finance that requests the W-2 forms for all employees. Thinking that this is an urgent request from the boss, the recipient promptly sends along the employee records — not realizing that they’re going to a malicious outside actor, not the real exec. By the time anyone realizes the mistake, all that employee data (names, addresses, salaries, and Social Security numbers) are in the hands of hackers, who can use them for identity theft, bogus credit card applications, faking access to email accounts through password recovery procedures, and more. W-2 scams often cause employees ongoing harm for years.
Above we have a particularly clear example of a W-2 scam, courtesy of J.D. Supra, which notes:
“The email appears to be a completely legitimate request from a legitimate email address, but in reality the email is from somewhere entirely different and has the “REPLY TO” field (that is typically hidden from the end user) set to an email address controlled by the criminal.”
Anticipating problems, the IRS issued a clear warning early this year. “This is one of the most dangerous email phishing scams we’ve seen in a long time,” IRS commissioner John Koskinen said in February.
Despite the alerts, at least half a dozen companies, schools, and even a city have fallen victim to W-2 scams in the past two months alone. Then there was Coupa, which recently fell victim to a phishing attack that exposed its employees’ W-2s. The attacks that have been made public are likely just the tip of the iceberg.
It’s not just in the U.S. where W-2 scams and related tax fraud ploys are on the rise. As Sophos recently reported, U.K. citizens are seeing emails that look like they come from Her Majesty’s Royal Government, promising tax refunds. If the recipients click through, they’re taken to a legitimate-looking site that asks for a ton of personal details. Sophos also reports similar scams in France and Australia.
So what can you do to protect yourself?
Set up email authentication.
In an ideal world, emails sent by fraudsters that appear to come from the IRS or your CEO would be detected and would never get through. That ideal world is rapidly becoming reality: Publicly available, widely-accepted standards for verifying the identities of email senders exist, and the world’s largest email service providers (Google, Microsoft, Yahoo, etc.) are already supporting them as are tens of thousands of companies, covering over 80% of the world’s email inboxes. Unfortunately, many companies have yet to take advantage of these powerful, open standards. You can learn more about this by checking out our post on DMARC for more details on the latest authentication standard. And if you’re not sure whether your domain uses email authentication, use our free, instant domain checker.
Educate your employees and contractors about W-2 scams.
Teach them that they should never respond to an email asking for W-2s or personnel information, even if it comes from a top executive at your company, without first verifying the legitimacy of the request through another channel: Pick up the phone, ping the CEO via Slack, or walk over to their desk and talk to them. Employees should also educate themselves about the warning signs of identity theft so they know what to do if they suspect their tax data has been stolen.
Report incoming W-2 scam emails.
The IRS wants to know if you receive emails that are aimed at getting you to hand over W-2s and other tax information, even if the emails don’t persuade anyone to take action. Forward the plain text of these fraudulent emails to firstname.lastname@example.org, making sure to include all the headers. See the IRS page on phishing scams for more details.
If your company is victimized, notify the IRS.
If you believe your organization has been the victim of a W-2 scam and you’re a U.S. company, notify the IRS as quickly as possible. They may be able to take steps to prevent damage to your employees’ and contractors’ digital identities. The IRS asks that you send an email to email@example.com your business name, EIN, and other information. See this IRS page for details.