Form 1040 Corner Partially Filled Out

Beware the W-2 Scam

It seems like there’s a data breach nearly every week. National retailers and credit bureaus get hacked, inadvertently releasing your personal information out to bad guys.

But the problem could be close to home – maybe even your own company. Beware the W-2 Scam.

The IRS reports that in 2017, the W-2 scam victimized companies of all sizes, public schools, nonprofits and hospitals. They expect the scam to continue in 2018, especially targeting employees in payroll and human resources departments.

Here’s how it works: A company executive contacts an employee who has access to payroll records, requesting a list of all employees and their W-2 forms. The employee, eager to respond to the boss’ request, sends out the information . . . only to find out later that it was sent to someone outside the company with malicious intent.

The key? Be skeptical. Assume a request for information is bogus until you’ve verified it comes from a trustworthy source. Even if it looks like it comes from a known source, verify the request independently by picking up the phone or sending a separate email rather than replying to the initial request. Cybercriminals can spoof email addresses to make them look legitimate, so just because it looks valid doesn’t mean it is.

It’s also a best practice to require two people review any release of sensitive employee or company information or before making any wire transfers.

And what if the unthinkable happens and your employees’ personal information gets leaked? Here are recommendations by the IRS:

  • Email dataloss@irs.gov to notify the IRS and provide contact information. Enter “W2 Data Loss” in the subject line so the email can be routed properly, and don’t attach any employee personally identifiable information to the email.
  • Report victim information to your state by contacting the Federation of Tax Administrators at StateAlert@taxadmin.org.
  • File a complaint with the FBI’s Internet Crime Complaint Center and your local law enforcement agency.
  • Forward the scam email to phishing@irs.gov.
  • Notify your employees so they can take steps to protect themselves from identity theft. The Federal Trade Commission website (www.ftc.gov) has a link for individuals to report identity theft and get a recovery plan.

Be safe out there!