W-2 Email Scam Still “In the Wild”
It’s called a BEC, for Business Email Compromise, and it’s one of the most dangerous phishing email schemes trending nationwide from a tax administration perspective.
Tax professionals and businesses everywhere are being urged to keep their guard up against this BEC targeting employee Forms W-2. The IRS and its fellow federal agencies are warning that the Forms W-2 scam is growing.
The Federal Bureau of Investigation reported earlier this year that there has been a 1,300 percent increase in identified losses from the scam – with more than $3 billion in wire transfers – since January 2015. The FBI found that the culprits behind these scams are national and international organized crime groups who have targeted businesses and organizations in all 50 states and 100 countries worldwide.
How Does It Work?
A business email compromise occurs when a cybercriminal is able to “spoof” or impersonate a company or organization executive’s email address and target a payroll, financial or human resources employee with a request. For example, fraudsters will try to trick an employee to transfer funds into a specified account or request a list of all employees and their Forms W-2.
Since the W-2 contains the employee’s name, address, Social Security Number, income and withholding, the scammers use it to file fraudulent tax returns – or post it for sale to other cybercriminals on the Dark Net for a tidy sum.
During the 2016 filing season, businesses were first warned by the IRS the scam had migrated to tax administration and scammers were using BEC tactics to get their hands on employee Forms W-2. The cyber-crooks immediately filed fraudulent tax returns that mirrored the employees’ actual income – making detection of the fraud even more difficult.
This year the scope of the scam widened, with public schools, universities, tribal governments and other nonprofit organizations victimized by the W-2 scammers. The number of organizations that fell for the ruse increased from 50 in 2016 to 200 in 2017. That translated into several hundred thousand employees whose personal data was stolen. In some cases, the scammers requested both the employee’s W-2 information and a wire transfer.
What to Do
The IRS, state tax agencies and the tax industry, working together as the Security Summit, are urging tax practitioners to be alert for BEC phishing attacks as part of their Protect Your Clients; Protect Yourself campaign.
The IRS established a special email notification address specifically for businesses and organizations to report W-2 thefts: email@example.com. Be sure to include “W-2 scam” in the subject line and information about a point of contact in the body of the email. Businesses and organizations that receive a suspect email but do not fall victim to the scam can forward it to the BEC to firstname.lastname@example.org, again with “W-2 scam” in the subject line.
Prevention, of course, is always the preferred route. Businesses of all kinds should review their policies for sending sensitive data such as W-2s or that allow wire transfer of funds just based on an email request.
Tax professionals should consider taking these steps:
- Confirm requests for Forms W-2, wire transfers or any sensitive data exchanges verbally, using previously-known telephone numbers, not telephone numbers listed in the email
- Verify requests for location changes in vendor payments and require a secondary sign-off by company personnel
- Educate employees about this scam, particularly those with access to sensitive data such as W-2s or with authorization to make wire transfers
- Consult with an IT professional and follow these FBI recommended safeguards:
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company email. For example, legitimate e-mail of abc_company.com would flag fraudulent email of abc-company.com.
- Create an email rule to flag email communications where the “reply” email address is different from the “from” email address shown.
- Color-code virtual correspondence so emails from employee/internal accounts are one color and emails from non-employee/external accounts are another.
- If a BEC incident occurs, notify the IRS. File a complaint with the FBI at the Internet Crime Complaint Center (IC3.)