Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups and Others
Washington – The Internal Revenue Service, state tax agencies and the tax industry issued an urgent alert today to all employers that the Form W-2 email phishing scam has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits.
In a related development, the W-2 scammers are coupling their efforts to steal employee W-2 information with an older scheme on wire transfers that is victimizing some organizations twice.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.
When employers report W-2 thefts immediately to the IRS, the agency can take steps to help protect employees from tax-related identity theft. The IRS, state tax agencies and the tax industry, working together as the Security Summit, have enacted numerous safeguards in 2016 and 2017 to identify fraudulent returns filed through scams like this. As the Summit partners make progress, cybercriminals need more data to mimic real tax returns.
Here’s how the scam works: Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is from an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES.)
The Security Summit partners urge all employers to be vigilant. The W-2 scam, which first appeared last year, is circulating earlier in the tax season and to a broader cross-section of organizations, including school districts, tribal casinos, chain restaurants, temporary staffing agencies, healthcare and shipping and freight. Those businesses that received the scam email last year also are reportedly receiving it again this year.
Security Summit partners warned of this scam’s reappearance last week but have seen an upswing in reports in recent days.
New Twist to W-2 Scam: Companies Also Being Asked to Wire Money
In the latest twist, the cybercriminal follows up with an “executive” email to the payroll or comptroller and asks that a wire transfer also be made to a certain account. Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars due to wire transfers.
The IRS, states and tax industry urge all employers to share information with their payroll, finance and human resources employees about this W-2 and wire transfer scam. Employers should consider creating an internal policy, if one is lacking, on the distribution of employee W-2 information and conducting wire transfers.
Steps Employers Can Take If They See the W-2 Scam
Organizations receiving a W-2 scam email should forward it to email@example.com and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.
Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.
The W-2 scam is just one of several new variations that have appeared in the past year that focus on the large-scale thefts of sensitive tax information from tax preparers, businesses and payroll companies. Individual taxpayers also can be targets of phishing scams, but cybercriminals seem to have evolved their tactics to focus on mass data thefts.
Be Safe Online
In addition to avoiding email scams during the tax season, taxpayers and tax preparers should be leery of using search engines to find technical help with taxes or tax software. Selecting the wrong “tech support” link could lead to a loss of data or an infected computer.
Taxpayers searching for a paid tax professional for tax help can use the IRS Choosing a Tax Professional lookup tool or if taxpayers need free help can review the Free Tax Return Preparation Programs. Taxpayers searching for tax software can use Free File, which offers 12 brand-name products for free, at www.irs.gov/freefile. Taxpayer or tax preparers looking for tech support for their software products should go directly to the provider’s web page.
Tax professionals also should beware of ongoing scams related to IRS e-Services. Thieves are trying to use IRS efforts to make e-Services more secure to send emails asking e-Services users to update their accounts. Their objective is to steal e-Services users’ credentials to access these important services.
IRS, States and Tax Industry Renew Alert about Form W-2 Scam Targeting Payroll, Human Resource Departments
IR-2017-10, Jan. 25, 2017
WASHINGTON – The Internal Revenue Service, state tax agencies and the tax industry today renewed their warning about an email scam that uses a corporate officer’s name to request employee Forms W-2 from company payroll or human resources departments.
This week, the IRS already has received new notifications that the email scam is making its way across the nation for a second time. The IRS urges company payroll officials to double check any executive-level or unusual requests for lists of Forms W-2 or Social Security number.
The W-2 scam first appeared last year. Cybercriminals tricked payroll and human resource officials into disclosing employee names, SSNs and income information. The thieves then attempted to file fraudulent tax returns for tax refunds.
This phishing variation is known as a “spoofing” e-mail. It will contain, for example, the actual name of the company chief executive officer. In this variation, the “CEO” sends an email to a company payroll office or human resource employee and requests a list of employees and information including SSNs.
The following are some of the details that may be contained in the emails:
• Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
• Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
• I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
Working together in the Security Summit, the IRS, states and tax industry have made progress in their fight against tax-related identity theft, cybercriminals are using more sophisticated tactics to try to steal evn more data that will allow them to impersonate taxpayers.
The Security Summit supports a national taxpayer awareness campaign called “Taxes. Security. Together.” and a national tax professional awareness effort called “Protect Your Clients; Protect Yourself.” These campaigns offer simple tips that can help make data more secure.
IRS Warns of Back-to-School Scams
PHOENIX - - The Internal Revenue Service today warned taxpayers against telephone scammers targeting students and parents during the back-to-school season and demanding payments for non-existent taxes, such as the “Federal Student Tax.”
People should be on the lookout for IRS impersonators calling students and demanding that they wire money immediately to pay a fake “federal student tax.” If the person does not comply, the scammer becomes aggressive and threatens to report the student to the police to be arrested. As schools around the nation prepare to re-open, it is important for taxpayers to be particularly aware of this scheme going after students and parents.
“Although variations of the IRS impersonation scam continue year-round, they tend to peak when scammers find prime opportunities to strike”, said IRS Commissioner John Koskinen. “As students and parents enter the new school year, they should remain alert to bogus calls, including those demanding fake tax payments from students.”
The IRS encourages college and school communities to share this information so that students, parents and their families are aware of these scams.
Scammers are constantly identifying new tactics to carry out their crimes in new and unsuspecting ways. This year, the IRS has seen scammers use a variety of schemes to fool taxpayers into paying money or giving up personal information. Some of these include:
• Altering the caller ID on incoming phone calls in a “spoofing” attempt to make it seem like the IRS, the local police or another agency is calling
• Imitating software providers to trick tax professionals--IR-2016-103
• Demanding fake tax payments using iTunes gift cards--IR-2016-99
• Soliciting W-2 information from payroll and human resources professionals--IR-2016-34
• “Verifying” tax return information over the phone--IR-2016-40
• Pretending to be from the tax preparation industry--IR-2016-28
If you receive an unexpected call from someone claiming to be from the IRS, here are some of the telltale signs to help protect yourself.
The IRS Will Never:
• Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail you a bill if you owe any taxes.
• Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.
• Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
• Ask for credit or debit card numbers over the phone.
If you get a suspicious phone call from someone claiming to be from the IRS and asking for money, here’s what you should do:
• Do not give out any information. Hang up immediately.
• Search the web for telephone numbers scammers leave in your voicemail asking you to call back. Some of the phone numbers may be published online and linked to criminal activity.
• Contact TIGTA to report the call. Use their “IRS Impersonation Scam Reporting” web page or call 800-366-4484.
• Report it to the Federal Trade Commission. Use the “FTC Complaint Assistant” on FTC.gov. Please add “IRS Telephone Scam” in the notes.
• If you think you might owe taxes, call the IRS directly at 800-829-1040.
New Phishing Scheme Mimics Software Providers; Targets Tax Professionals
IR-2016-103, August 11, 2016
WASHINGTON — The Internal Revenue Service today alerted tax professionals to an emerging phishing email scam that pretends to be from tax software providers and tries to trick recipients into clicking on a bogus link.
The email scheme is the latest in a series of attempts by fraudsters to use the IRS or other tax issues as a cover to trick people into giving up sensitive information such as passwords, Social Security numbers or credit card numbers or to make unnecessary payments.
In the new scheme identified as part of the IRS Security Summit process, tax professionals are receiving emails pretending to be from tax software companies. The email scheme requests the recipient to download and install an important software update via a link included in the e-mail.
Once a recipient clicks on the embedded link, they are directed to a website prompting them to download a file appearing to be an update of their software package. The file has a naming convention that uses the actual name of their software followed by an “.exe extension.”
Upon completion, tax professionals believe they have downloaded a software update when in fact they have loaded a program designed to track the tax professional’s key strokes, which is a common tactic used by cyber thieves to steal login information, passwords, and other sensitive data.
Although the IRS knows of only a handful of cases to date, tax professionals are encouraged to be on the lookout for these scams and never to click on unexpected links in emails. Similar email schemes using tax software names have targeted individual taxpayers.
The IRS recently launched a new campaign to raise awareness among tax professionals about security threats posed by identity theft issues targeting their industry. The Protect Your Clients; Protect Yourself campaign features an ongoing effort to urge tax professionals to step up their security protections and be aware they increasingly are targets of cybercriminals.
The IRS urges all tax preparers to take the following steps:
• Be alert for phishing scams: do not click on links or open attachments contained in e-mails and always utilize a software provider’s main webpage for connecting to them.
• Run a security “deep scan” to search for viruses and malware;
• Strengthen passwords for both computer access and software access; make sure your password is a minimum of 8 digits long (more is better) with a mix of numbers, letters and special characters;
• Educate all staff members about the dangers of phishing scams in the form of emails, texts and calls;
• Review any software that your employees use to remotely access your network and/or your IT support vendor uses to remotely troubleshoot technical problems and support your systems. Remote access software is a potential target for bad actors to gain entry and take control of a machine.
Tax professionals should review Publication 4557, Safeguarding Taxpayer Data, A Guide for Your Business, which provides a checklist to help safeguard taxpayer information and enhance office security.