W-2 Email Scam Finds More Victims in 2017


The number of organizations that fell prey to a recurring W-2 email scam that involved identity thieves posing as company executives  rose subatantially in 2017, an Internal Revenue Service official said May 18.

Data breaches at a relatively small number of organizations may represent the stolen data of hundreds of thousands of taxpayers, said Tamara Powell, acting director of the IRS Return Integrity Compliance Services. 

“Cyber criminals have continued to evolve,” Powell said at the annual American Payroll Association Congress in Orlando, Fla.  “As we have made progress against identity theft, the criminals need more and more personal data to able to impersonate the true taxpayers. They merely shifted their targets to those of you in the payroll industry.”

The email scam uses a corporate officer's name to request employee Forms previous hitW-2next hit, Wage and Tax Statement, from payroll or human resources departments. In the first four months of 2017, 870 organizations reported to the IRS that they received a W-2 phishing email, up from about 100 organizations in the first four months of 2016, Powell said. Of the 870 organizations, about 200 lost data, up from about 50 in 2016, she said.

“Two hundred organizations may not sound like a lot, but that data theft or data loss can translate into hundreds of thousands of taxpayers,” Powell said.

No single industry was targeted, Powell said.  Organizations affected by the phishing scam included manufacturers, payroll-service providers, payroll companies, public schools and universities and hospitals, she said.

In the scam, which first appeared in 2016, cybercriminals trick workers into disclosing employee names, Social Security numbers and income information. They then attempted to file fraudulent tax returns for refunds, the IRS said.

“The criminals are especially brazen,” Powell said. In one case, a criminal did not like the format the W-2s were in, so the thief asked the payroll employee to reformat and resend them. The employee complied, she said.

Organizations may discover a data breach weeks or months after it has occurred, at which point the criminal likely profited from the theft by using the data or selling it on the dark web, Powell said. Identity thieves will continue using the phishing scheme for as long as it is effective, she said.

Tactics like the phishing scheme represented a departure from traditional identity theft, which started to change around 2010, Powell said.  Identity theft evolved from a crime of opportunity, typically committed by someone within an organization with access to W-2 data, to operations run by organized crime and criminal syndicates, she said.

The criminals behind identity theft are well funded and technically sophisticated, Powell said. “They start prepping for our filing season before we do.”

Take a free trial of Bloomberg BNA’s Payroll Decision Support Network, your one-stop resource for reliable, up-to-date guidance and analysis in every area of payroll administration and compliance.

Follow Bloomberg BNA on Twitter @BloombergBNA and join the Bloomberg BNA U.S. and Global Payroll group on LinkedIn.