IRS warns of second wave of W-2 email scam


The Internal Revenue Service, along with state tax authorities and the tax preparation industry, are cautioning businesses to beware of an email phishing scam using a corporate officer’s name asking for employee W-2 forms from payroll and human resources departments at companies.

The IRS said Wednesday it has been hearing complaints this week the email scam is making its way across the country for a second time. Last March, the IRS issued a similar warning in the midst of tax season, and the scammers are apparently back this tax season with a similar effort (see IRS warns of new phishing scheme involving W-2s).

The IRS is urging company payroll officials to double-check any executive-level or unusual requests for lists of Forms W-2 or Social Security number they receive by email.

Cybercriminals tricked payroll and HR employees last year into giving employee names, SSNs and income information in response to the emails. Identity thieves then filed tax returns using the employees’ names seeking their tax refunds.

The variation on the phishing scheme is known as a “spoofing” email. It may include the actual name of a company CEO. In this variation, the purported CEO sends an email to a company payroll office or HR employee and requests a list of employees and information including SSNs.

The following requests may be included in the emails:

• “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”

• “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”

• “I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

The IRS has partnered in recent years with state tax authorities, tax software developers and major tax prep companies in the fight against tax-related identity theft as part of an effort known as the Security Summit. One of the ways they are combating identity thieves is to ask for extra information and steps to authenticate taxpayers, a process known as multifactor authentication that is common in the banking industry. In response, cybercriminals are using ever more sophisticated tactics to try to steal additional information that will enable them to successfully impersonate taxpayers.

Have questions? I’m here to help.