Hundreds of companies across the U.S. are falling for a very new trick to take the W-2 forms of employees, as cyber criminals get increasingly creative to steal the identities of Americans.
Days ago, the Internal Revenue Service issued an alert directed at payroll and human resource professionals, but the impact of the scene reaches nearly every working American.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen.
“If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees," said Koskinen.
"'Spoofing' is when they make it look like it comes from someone you know, like your CEO, like you get an email from your CEO saying 'urgent request, please send me all the W-2 information of all employees,'" said Stu Sjourwerman, a longtime cyber-security expert.
"Hundreds of organizations are currently being tricked into send W-2 information so the bad guys can use that essentially for bogus tax returns," said Sjourwerman, whose Clearwater-based company KnowBe4.com helps companies close security loop-holes and trains company employees how to spot and avoid "spear-phishing," which is a targeted kind of email scheme by hackers to access a company's computer system or access certain kinds of files.
Evening Post Industries, based in South Carolina, and Main Line Health, based in Pennsylvania, are two major employers who were tricked into emailing W-2 forms to hackers through this scheme in 2016.
The following are some of the details contained in the e-mails, according to the IRS:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
The IRS, state tax agencies and tax industry are engaged in a public awareness campaign — Taxes. Security. Together. — to encourage everyone to do more to protect personal, financial and tax data.