As tax season began in January 2018, the IRS released a statement warning HR and payroll managers of phishing scams surrounding W-2 forms. The IRS encourages payroll managers to talk to their employees about the issue they consider, “one of the most dangerous phishing emails in the tax community.” In this scam, cybercriminals trick payroll staff into disclosing sensitive information. According to SHRM, reports to email@example.com of these payroll phishing scams increased from 100 in 2016 to 900 in 2017. This scam has affected all types of companies in the last two years, from small businesses to enterprise corporations.
The phishing emails often appear to come from top executives in the company requesting sensitive employee data via Form W-2. This data includes an employee’s name, date of birth, social security number, address, and salary. The emails often include a sense of urgency to get a quick turnaround on the information. Some scams have gone so far as to target specific junior employees and new hires who would be more likely to fall for the scam.
The IRS encourages companies to create a policy that limits the number of employees who have authority to handle W-2 form requests. Companies should also require additional verification to validate any sensitive employee data like Form W-2.
If you receive a suspicious email asking for sensitive employee data, email firstname.lastname@example.org. In the email, include the original suspicious email and include “W-2 scam” in the subject line.
For more information about the scam or to report employee data theft from a W-2 scam, visit the IRS data theft information page.