FBI warns of spreading W-2 email theft scheme

The IRS is warning businesses about a sharp increase in email phishing scams involving employees’ W-2 forms — scams that can put workers’ Social Security numbers and other crucial information in the hands of thieves.

The government said 200 businesses, public schools, universities, Native American governments and nonprofits were victimized by these scams during this year’s tax filing season, resulting in the theft of several hundred thousand employees’ data. That’s up from 50 in 2016, when the scam first appeared.

Cyberthieves perpetrate the scams by sending emails that appear to come from executives inside the targeted organizations. The emails ask payroll or human resources departments to reply with a list of all employees and their W-2 forms. Some emails also ask companies to transfer money to a specified bank account.

Companies should be on alert for anyone asking for employees’ W-2 forms or for wire transfers of money.

The IRS has an email notification address specifically for businesses and organizations to report W-2 thefts: dataloss@irs.gov. Be sure to include “W-2 scam” in the subject line. Businesses and organizations that receive a suspicious email but haven’t been victimized should forward it to phishing@irs.gov, also with “W-2 scam” in the subject line. Anyone victimized should also contact the FBI’s Internet Crime Complaint Center through its website, www.ic3.gov .

The IRS also has suggestions for avoiding being victimized:

• If you get a suspicious email, pick up the phone and call the person who purportedly sent it, using a phone number you can verify as theirs, not one that might be contained in the email. Confirm that this person has in fact made the request.
• Make sure that any employees with access to W-2s or other sensitive information are aware of these scams. Make sure they know the warning signs of phishing scams, including incorrect email addresses.
• Invest in software that will flag suspicious emails.