As previously reported, the IRS announced late last month that an email phishing scam targeted at payroll departments for the purpose of criminally obtaining Form W-2 information resurfaced for the second time since 2016. (IR-2017-10)

On February 1, 2017, the IRS issued an urgent alert stating that the scam "has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits."

The IRS alert also states that these same scammers have doubled their impact by soliciting wire transfers. Some businesses have already fallen prey to both scams, the IRS said. (IRS Exempt Organization Update, EO Update: e-News for Charities & Nonprofits, February 3, 2017.)

This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme. — IRS Commissioner John Koskinen

Background

Cybercriminals posing as company executives send emails to payroll and human resources professionals soliciting Forms W-2 data containing Social Security numbers and other personal identifiable information. The emails appear to originate from legitimate email addresses of organizational executives; however, email replies go to the accounts of the cybercriminals.

This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).

Steps the IRS urges employers to take

The IRS, states and tax industry urge all employers to take the following steps:

1. Share information with payroll, finance and human resources employees about this Form W-2 and wire transfer scam.

2. Consider creating an internal policy, if one is lacking, on the distribution of employee Form W-2 information and requirements for conducting wire transfers.

3. Organizations receiving a Form W-2 scam email should forward it to phishing@irs.gov and place "W2 Scam" in the subject line.

4. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.

5. Employees whose Forms W-2 information has been stolen should review the recommended actions by the Federal Trade Commission at identitytheft.gov or the IRS at irs.gov/identitytheft. Employees should file a Form 14039, Identity Theft Affidavit, if the employee's own tax return gets rejected because of a duplicate Social Security number or if instructed to do so by the IRS.

———————————————
RELATED RESOURCES

— For more information about EY's Exempt Organization Tax Services group, visit us at www.ey.com/ExemptOrg

———————————————

———————————————

———————————————
ATTACHMENT

EY Payroll News Flash