W-2 tax scams are back. Here's a look at how to prevent identity theft in a business and keep employee data safe.
Tax season has arrived. It's a tough time for businesses as they take on the extra burden of satisfying Internal Revenue Service requirements, but a recent IRS warning adds another layer of stress to the process: Just like last year, there's a spike in W-2 phishing as malicious actors attempt to steal employee data.
Here's a look at how to prevent identity theft in a business by detecting, deflecting and reporting W-2 scams.
According to Forbes, this scam gained traction last year with cybercriminals looking for ways to grab employee W-2s. Their method hasn't changed much from 2017: Attackers send a "phishing" email seemingly from someone in a position of authority — often a C-suite executive or corporate manager, or even from the IRS itself.
In either case, attackers want companies to send over all W-2 forms and lists of employee earnings along with other critical data such as Social Security numbers and home addresses. Scammers then use this data to steal or sell employee identities online. Victims may discover fraudulent tax returns filed on their behalf or credit cards issued in their name. Even worse? Resolving this kind of compromise can take years, even with credit- and tax-monitoring assistance.
The Professional Problem
There's also a new scam underway. According to Bandemer Accountancy Corp., scammers are now targeting tax-preparation professionals to access business W-2 data.
It works like this: Attackers send phishing emails to CPAs warning that their tax preparation software has been locked or is out of date, providing a website link to resolve the issue. Once there, tax pros are asked for their username and password, and this data is used to gain database access and compromise massive amounts of stored business data.
Tell, Don't Show
With IRS scams on the rise, knowing how to prevent identity theft in a business is critical for business owners. Key steps include:
- Limiting access: The fewer people in your organization that have access to W-2 data, the better. Keep an updated list of all staff members (and external tax professionals) who have access to this information and implement tools that let you track access and modification. This limits the chance of a breach and lets you backtrack issues in the event of compromise.
- Knowing the risks: As noted by Time, the IRS communicates via registered U.S. mail. If you receive an email, text message or social media notification that's supposedly from the IRS, it's not. Also worth noting is that hackers are doubling down and have started using actual phone calls to convince businesses they're from the IRS. While it's possible that the IRS could reach out this way, never take the caller's word for it — get their name, badge number and call-back number. Then call 1-800-366-4484 to determine whether they're telling the truth.
- Never showing data: The best way to avoid a W-2 scam? Don't send data. This means resisting the urge to respond to "URGENT" emails from supposed IRS auditors or C-suite executives and always avoiding in-email links. The rule here is simple: If it feels wrong, it probably is.
- Telling someone: If you suspect a scam, report it to relevant stakeholders, higher-ups and the IRS. According to the agency's Report Phishing and Online Scams webpage, you should forward the entire email as is to firstname.lastname@example.org and then delete the original email.
Tax season has arrived — and tax fraud along with it. Keep W-2 forms safe by recognizing risk and reporting suspicious activity to the IRS.