The IRS has warned small businesses to be vigilant against the rising threat of identity theft and W-2 scams. By the time these scams come to light, it’s too late to start implementing controls. Indeed, last tax season saw a surge in phishing emails targeting payroll direct deposit and wire transfers. Don’t wait until they return next tax season to get yourself ready.
Let’s take a closer look at these threats.
Identity theft and W-2 scams
The IRS has warned small businesses to guard against identity theft, which the agency describes as “big business for identity thieves” and “devastating to small businesses.”
The sensitive information about employees that employers hold is highly valued by identity thieves, and much of this data can be found on Form W-2.
Identity thieves are known to use stolen business data to open credit card accounts or file bogus tax returns in order to fraudulently receive refunds. For example, they may file false individual tax returns by stealing employer identification numbers and creating fake W-2s.
One of the most dangerous types of W-2 scams involves the fraudster posing as a company executive and directly emailing the company’s HR or payroll staff. The email may appear friendly and innocent, starting with a simple, “Hey, you in today?” — but the fraudster’s goal is to steal employees’ W-2 and identity data.
Payroll direct deposit and wire transfer scams
This type of cybercrime involves business email compromise and business email spoofing (BEC/BES) tactics — which normally target all employers, regardless of industry. In these scenarios, the fraudster, pretending to be a company employee, emails someone in the HR or payroll department and requests that they change his or her payroll direct deposit information. However, the new direct deposit information is controlled by the impersonator.
BEC and BES scams may also come in the form of emails that impersonate a company executive and are sent to the employee who handles wire transfers.
Like many other email scams, BEC and BES rackets usually include grammatical and spelling errors.
Defeating the threats
- Do not respond to — or click any links in — emails that you suspect are from scammers.
- Forward tax-related phishing emails to the IRS at firstname.lastname@example.org.
- Forward nontax-related BEC and BES email scams to the Internet Crime Complaint Center at www.ic3.gov.
- If you fall prey to a W-2 scam, notify the IRS at email@example.com. For detailed information on how to report this scam, visit Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.
Be sure to inform your staff about the potential dangers lurking around the next tax season.
Also, tell your other employees about the perils of identity theft and refer them to the Federal Trade Commission’s website (www.identitytheft.gov) for tips on how to protect themselves.