IRS Alerts Payroll and HR Professionals to Phishing Scam Involving W-2 Forms

ThE scheme—which is just one in a surge of phishing scams reported in the last year—has claimed numerous victims

IRS Alerts Payroll and HR Professionals to Phishing Scam Involving W-2 Forms
Image: Pexels
January 26, 2017

The Internal Revenue Service (IRS) is warning payroll and human resources professionals to beware of a persistent phishing email scam that purports to be from company executives and requests personal information on employees.

This type of email phishing is known as "spoofing." According to the IRS, the email will contain, for example, the actual name of the company chief executive officer. In this variation, the "CEO" sends an email to a company payroll office employee and requests a list of employees and information including Social Security numbers.

The IRS says that this scheme—which is just one in a surge of phishing scams reported in the last year—has claimed numerous victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain personally identifiable information to cybercriminals posing as company executives.

Once criminals have this stolen personal data, it can be used to perpetrate identify theft—including filing fraudulent tax returns to steal refund money.

"This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments," said IRS Commissioner John Koskinen. "If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees."

The IRS says that its Criminal Investigation division is reviewing several cases in which people have been tricked into sharing Social Security numbers with what turned out to be cybercriminals.

If you receive an unsolicited email that appears to be from either the IRS or an organization closely linked to the IRS, report it by sending it to phishing@irs.gov.

Remember—the IRS generally does NOT initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

Find out more about protecting your personal data this tax season at IRS.gov.