The Form W-2 scam has emerged as one of the most dangerous phishing emails in the tax community. During the last two tax seasons, cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces.
Last year, more than 200 employers were victimized, resulting in hundreds of thousands of employees with compromised identities. The scam affected all types of employers, from small and large businesses to public schools and universities, hospitals, tribal governments, and charities.
What is a Form W-2?
Employers engaged in a trade or business who pay remuneration for services performed by an employee must file a Form W-2 for each employee from whom:
- Income, social security, or Medicare tax was withheld.
- Income tax would have been withheld if the employee had claimed no more than one withholding allowance or had not claimed exemption from withholding on Form W-4, Employee’s Withholding Allowance Certificate.
Additionally, employers must issue W-2s to any employee (including an employee who is related to the employer) who had the following:
- Non-cash payments of $600 or more for the year
- Non-cash payments of any amount if any income, social security, or Medicare tax was withheld
The Form W-2 contains the employee’s name, address, Social Security number, income, and withholdings. Criminals use that information to file fraudulent tax returns, or they post it for sale on the DarkNet.
How the Form W-2 Phishing Scam Works
Cybercriminals do their homework, identifying chief operating officers, school executives or others in positions of authority. Using a technique known as business email compromise (BEC) or business email spoofing (BES), fraudsters posing as executives send emails to payroll personnel requesting copies of Forms W-2 for all employees.
In many cases, the email starts off as a friendly exchange before the fraudster asks for all Form W-2 information. In several reported cases, after the fraudsters acquired the workforce information, they immediately followed that up with a request for a wire transfer.
What to do
Employers should be aware that cyber criminals’ scams constantly evolve. Finance and payroll personnel should be alert to any unusual requests for employee data.
If your businesses or organization falls victim to the scam or receives a suspect email but does not fall victim to the scam send the full email headers to firstname.lastname@example.org and use “W2 Scam” in the subject line.