It’s tax season again – the time of year when cybercriminals are especially rampant. A scam that surfaced last year is back in circulation this year, where an email is sent supposedly from a CEO or other corporate officer, requesting W-2 or other sensitive information from a payroll staff member. The personal information – including names, Social Security Numbers, and income – is then used by the bad guys to file fraudulent tax returns in order to obtain tax refunds.
These “spoofing” emails are becoming more and more sophisticated, sent from legitimate-looking email addresses. Here’s the type of wording they might contain (courtesy of a recent IRS news alert):
- Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
These types of emails have been used to not only gain sensitive information, but also to initiate wire transfers of substantial amounts of money (sometimes referred to as “CEO Fraud”). They prey on fear and intimidation (after all, who would want to question a request from the CEO??), but it’s always better to be safe than sorry. Before taking action or providing sensitive information, always verify and confirm the request to ensure it comes from a legitimate source. Rather than replying to the initial request, contact the individual by phone or by initiating a new email.
The IRS is actively working to protect tax information from identity thieves. For more information, see Publication 4524, Security Awareness for Taxpayers, and remember to always think before you click!