W-2 Fraud Scheme Claims Payroll Victims As IRS Warns of New Cybercriminal Methods

The Bloomberg BNA Payroll Library gives you reliable, up-to-date guidance and analysis in every area of payroll administration and compliance, and includes hundreds of interactive forms and links to related federal, state, and local sites.

By Keith M. Hill

Payroll departments should be aware of an increasingly problematic e-mail phishing scheme in which identity thieves claim to be company executives and request copies of employees' Forms W-2, the Internal Revenue Service said March 1 in a news release.

The e-mails sent in this phishing scheme, known as spoofing e-mails, are masked to appear to come from someone in an organization's leadership. The e-mails ask payroll employees for either PDF copies of the 2015 Forms W-2 of all the employees in their company or for salary information and personal identification information from payroll records, such as employees' names and Social Security numbers.

“If your CEO appears to be e-mailing you for a list of company employees, check it out before you respond,” IRS Commissioner John Koskinen said in the news release.

Reports of Compromised Payroll Data Stream In

Several employers recently acknowledged that payroll and personal identity data have been successfully acquired through such e-mails as unsuspecting payroll staff forwarded the information to identity thieves.

Seagate Technology, based in Cupertino, Calif., learned March 1 that an employee who thought a phishing e-mail was a legitimate internal company request sent information on 2015 Forms W-2 for current and former domestic employees to an unauthorized third party, the company said in a statement sent to Bloomberg BNA March 7.

“The IRS informed us they have added extra scrutiny to our employees' accounts in order to prevent fraudulent tax returns from being processed,” Eric DeRitis, Seagate’s senior director of public relations and executive communications, told Bloomberg BNA.

The payroll department for Snapchat, a photo-sharing service based in Los Angeles, was targeted in February by an isolated e-mail phishing scam in which a scammer impersonated the company's chief executive officer and asked for employee payroll information. Certain information about some current and former employees was released to an unauthorized third party, but none of the company's internal systems were breached and no user information was accessed, the company said Feb. 28 in a press release.

Additional Security Measures

Central Concrete Supply Co., based in San Jose, Calif., also was hit in February by a data security incident. A third party posing as another person convinced an employee to provide copies of 2015 Forms W-2 via e-mail. Information disclosed included employees' names, Social Security numbers and income information, the company said Feb. 24 in a press release.

The concrete supply company said it has implemented additional security measures to prevent a recurrence, such as adopting a policy of dual authentication for transfers of personal identity information and increasing cybersecurity training for employees, the company said.

Mercy Housing, with headquarters in Denver, also in February was a victim of the e-mail scam, resulting in an unauthorized release of all 2015 Forms W-2 issued by the payroll department, the company said Feb. 22 in a press release.

In its information release, the IRS renewed a broad consumer alert for e-mail schemes after identifying an increase of about 400 percent in phishing and malware incidents so far this tax season in comparison to the previous tax season.