taxnews.ey.comPrint

05 April 2017

IRS streamlines process for reporting W-2/SSN data theft data breaches

Guidance is available that streamlines how employers can report data breaches to the IRS and state tax agencies and includes resources that businesses can share with affected employees. (Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.)

As previously reported, the IRS announced that an email phishing scam targeted at payroll departments for the purpose of criminally obtaining Form W-2 information resurfaced for the second time since 2016. (See Tax Alert 2017-176.)

Background

Cybercriminals posing as company executives send emails to payroll and human resources professionals soliciting Forms W-2 data containing Social Security numbers (SSNs) and other personal identifiable information. The emails appear to originate from legitimate email addresses of organizational executives; however, email replies go to the accounts of the cybercriminals.

This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).

On February 1, 2017, the IRS issued an urgent alert stating that the scam "has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits." The IRS alert also states that these same scammers have doubled their impact by soliciting wire transfers. Some businesses have already fallen prey to both scams, the IRS said. (See Tax Alert 2017-256.)

Reporting a data loss related to the W-2 scam

If a breach has occurred, employers should email dataloss@irs.gov to notify the IRS of the W-2 data loss with subject line, type "W2 Data Loss." No employee personally identifiable information (PII) data should be included, but the following information should.

1. Business name
2. Business employer identification number (EIN) associated with the data loss
3. Contact name
4. Contact phone number
5. Summary of how the data loss occurred
6. Volume of employees impacted

Reporting a data loss to state tax agencies

Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.

Reporting a data loss to other law enforcement officials

Businesses/payroll service providers should file a complaint with the FBI's Internet Crime Complaint Center (IC3) and may be asked to file a report with their local law enforcement agency.

Informing employees about a Form W-2 data loss

Cybercriminals immediately attempt to monetize their thefts. They may attempt to file fraudulent tax returns claiming a refund or sell the data on the Internet's black market. Employees can learn what to do from the following resources:

2. Share IRS Publication 5027, Identity Theft Information for Taxpayers, with employees and direct them to the "Steps for Identity Theft Victims" which includes:

— Contacting one of the three credit bureaus to place a "fraud alert" on their account and consider placing a "credit freeze" which offers more protection.
— File a complaint with the Federal Trade Commission, the lead federal agency on identity theft issues.
— Review FTC www.identitytheft.gov information for additional steps to recover from identity theft.

3. The FTC also offers guidance to businesses on how to inform employees of the incident and additional steps businesses may take. See Data Breach Response: A Guide for Business.

4. Share IRS Publication 4524, Security Awareness for Taxpayers, with your employees

If your business received the email but did NOT fall victim to the scam, forward the email to the IRS using the following steps:

1. The email headers should be provided in plain ASCII text format. Do not print and scan

2. Save the phishing email as an email file on your computer desktop

3. Open your email and attach the phishing email file you previously saved

4. Send your email containing the attached phishing email file to phishing@irs.gov. Subject Line: W2 Scam. Do not attach any sensitive data such as employee SSNs or W-2s.

5. File a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.

———————————————

Contact Information
For additional information concerning this Alert, please contact:
 
Workforce Advisory Services — Employment Tax Advisory
Debera Salam(713) 750-1591
Kristie Lowery(704) 331-1884
Kenneth Hausser(732) 516-4558
Debbie Spyker(720) 931-4321

———————————————
ATTACHMENT

EY Payroll News Flash

Document ID: 2017-0592

 

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting or tax advice or opinion provided by Ernst & Young LLP to the reader. The reader also is cautioned that this material may not be applicable to, or suitable for, the reader's specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The reader should contact his or her Ernst & Young LLP or other tax professional prior to taking any action based upon this information. Ernst & Young LLP assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

 

Copyright © 1996 – 2025, Ernst & Young LLP

 

All rights reserved. No part of this document may be reproduced, retransmitted or otherwise redistributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP.

 

EY US Tax News Update Master Agreement | EY Privacy Statement