Our Data Privacy and Security team is currently assisting multiple clients in responding to nearly identical fraudulent requests for IRS Form W-2 information. Significantly, these clients are in a number of industries and are located in a variety of states, which confirms that this scam is widespread.

IRS Issues Warning About W-2 Scam

Earlier this month, the Internal Revenue Service (IRS) issued a warning that the Form W-2 e-mail phishing scam is circulating again and has grown to include a wider variety of industries this year.

What Is the Scam?

The criminals behind the W-2 phishing scam disguise an e-mail so it appears to be from a CEO or other executive within the company. In fact, some of the request e-mails contain signature lines that are identical to those in legitimate e-mails.  The e-mail is sent to an employee, typically in payroll or human resources, and asks for copies of the Forms W-2 or other sensitive employee information, including social security numbers.

Criminals attempt to get the Forms W-2 before employees have a chance to file their returns. This allows the criminal to file the return first and obtain the refund that should have gone to the employee.

In some cases, the W-2 request is combined with or followed by a request for money to be electronically transferred to third party accounts.

“This is one of the most dangerous e-mail phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.  We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.  The IRS also warns that businesses that were victims last year are receiving scam e-mails again this year.

Prevention

Never respond to an e-mail that demands the immediate release of sensitive personal information or money without first independently verifying the identity of the sender.  Also, do not call any number supplied in the request e-mail as the form of verification because the criminals have set up phone banks that enable them to continue the ruse.  Instead, be sure to verify the request in person or use an internal phone number to speak directly with the (alleged) requestor.

If Your Company is a Target

If your company is targeted by a W-2 or wire transfer scam, you should report the attack to the IRS without responding to the scammer. Any W-2 scam e-mail can be forwarded to phishing@irs.gov with “W2 Scam” in the subject line. You should also file a complaint with the Internet Crime Complaint Center. For more information from the IRS visit www.irs.gov/identitytheft.

Further, if any inadvertent disclosure of sensitive personal information has been made in connection with this scam, report the incident to the IRS and law enforcement, such as the FBI, as soon as possible. You may also contact McGuireWoods for assistance.  We are currently working with clients to respond to these breaches and are very familiar with the response process, including any state notifications that may be required. We can also assist with reporting to law enforcement and the IRS.