This month, the IRS warned of a “dangerous W-2 phishing scam” that is a continuation of a scam which hurt multitudes of taxpayers last year. This year, however, not only is this W-2 phishing scam even more effective, but its consequences and reach have drastically intensified and expanded. What exactly is this scam and how can you avoid it? Continue reading to learn about the ongoing W-2 phishing scam and its implications for you this tax season.
How does this W-2 phishing scam work?
Last year, the IRS notified taxpayers about a W-2 phishing scam targeting human resources and payroll departments within organizations across the country. Similar to a traditional phishing scam that aims to get someone’s personal information, this scam works by duping employees into handing over sensitive employee information under the guise of a request from a company manager, director or executive. In many cases, scammers do not hesitate to impersonate leaders at the highest levels of the organizations they target — in fact, these scams are sometimes called “CEO scams” for this very reason.
This year, the scam has expanded its sphere of targets to restaurants, school districts, tribal groups and critical institutions like hospitals, while taking on a new dimension. The biggest change is that scammers are paring this W-2 scam with another payroll scam that allows them to wire money out of the companies they target, inflicting twice the damage on organizations. While there are no official numbers for the total W-2 victim count so far, some databases and security researchers put this year’s number of victims somewhere around 29,000 taxpayers, which, of course, is expected to continue to grow substantially throughout the tax season.
Why is this W-2 phishing scam so devastating?
There are various reasons why this W-2 scam has been so successful, but here are the most important ones:
Scammers got an early start. Even though tax season just started on Jan. 23, we’ve already seen several thousand taxpayers fall victim to this scam. While in prior years most tax scams began fairly early in the tax season, this year, scammers have seemingly jumped the gun with this W-2 scam — it was something we warned about in December. What’s worse, as a result of successes with this W-2 phishing scam, there now exist places on the dark web where stolen W-2s can be bought, meaning that some unfortunate taxpayers can have their return claimed at any time this year (assuming their legitimate return isn’t filed first). Given that most of the critical information on a W-2, like names, social security numbers and addresses, isn’t likely to change, these stolen copies ensure that scammers are one step ahead for years to come.
Scammers are successfully at spoofing emails. We’ve talked in-depth about phishing before, and we’ve pointed out that many of today’s phishing campaigns use a targeted approach called “spear phishing.” Unlike standard phishing, which is impersonal, spear phishing uses information that is personally relevant to potential victims in order to bait them. The key to spear phishing is a tactic called “spoofing,” which is just a fancy way of saying that scammers forge credentials in order to assume the identity of someone the victim knows. By spoofing or doctoring emails, scammers can make messages seem like they came from somewhere or someone they didn’t. For example, they can spoof email headers to make it appear like a message came from your boss or from any person within the company or organization you work for — these are sometimes referred to as a business email compromise scams. They can also emulate the contents of existing email threads too, as we saw with last month’s Gmail scam. Unfortunately, this means gone are the days where all phishing messages come riddled with typos and other telltale signs of fraud and spam.
How can you fight this phishing scam?
While this scam is targeting businesses and organizations, it’s important that all taxpayers be made aware of it, given that compromised W-2s can result in the loss of a taxpayer’s identity. As such, both employees and managers/business owners should take action to fight this scam.
As an employee you should:
Double check email content (especially wire requests). While scams are becoming increasingly sophisticated and more convincing, you will always have one line of recourse to protect yourself – verification of the contents of the email. If someone appears to be asking you for a favor that requires you to share confidential information or send out money, talk to them in person or via phone (make sure you don’t call any numbers listed in the email) to confirm the legitimacy of the message before you act on it.
As a manager/business owner you should:
Provide some degree of cybersecurity education to employees. In today’s world, it’s becoming increasingly important for everyone, not just experts, to be familiar with good cybersecurity habits. As such, employees need to be consistently exposed to examples of campaigns like the W-2 phishing scam before they will understand how to approach and deal with them. Even without formal training, though, you can still provide your employees with better odds of overcoming this scam by sharing with them information and resources from the IRS or the FTC. Simply having an idea of what scammers are currently up to will allow employees to take precautions and confirm the legitimacy of emails before they act.
Both employees and managers/business owners should:
Send proof of the scam to officials. If you or your organization do end up getting swept up into one of these phishing campaigns, it’s a good idea to note and record as many details as possible and send the information to either the IRS (via email at email@example.com) or to the Internet Crime Complaint Center (IC3). By reporting the scam, you’re expanding the amount of information government agencies have on these scams, which can help contribute to furthering the understanding of techniques scammers use.
Other new tax scams to be aware of
In addition to the W-2 scam, the IRS said that scammers are capitalizing on taxpayers’ desire for support by creating false listings in search engines for e-filing software tech support. This is not unlike the tech support scams we detailed in the past. If you’re looking for online tax support or an e-filing service, rather than search online (and risk clicking on a phony ad), have a look at the listings on our site or consult the IRS if you’re interested in other services.
For more information about staying safe this tax season, read our tax preparation blog, where we detail tips that will aid you in filing this season.