HR Professionals: Beware of the Form W-2 Scam

According to the Internal Revenue Service, the Form W-2 Scam may be one of the most dangerous phishing email campaigns in the tax community. It can be particularly insidious because it relies on well-researched and carefully crafted emails that may not alert a company’s anti-virus software or spam filters. Once the fraudulent email reaches an employee’s inbox, it’s left to their own best judgment to determine whether the message is real or fake. Do your HR, finance, and payroll personnel know how to detect and avoid a W-2 phishing scam?

The Form W-2 Scam: How It Works

In one of the most common forms of a W-2 phishing scam, a cybercriminal impersonates an executive and sends an email to an HR professional in the same organization requesting employee W-2 information.

According to the IRS, the initial email may be a simple and friendly, “hi, are you working today,” before the fraudster asks for more information. In order to make the scam seem as believable as possible, scammers may use a compromised or spoofed email so that the message appears to come from the executive they are impersonating.

In some more sophisticated schemes, cybercriminals may target junior team members or recent hires, or even monitor social media in order to determine the best time to attack, such as when a senior manager is out of the office on vacation.

Because of the nature of these scams—simply an employee doing their job by answering an email they believe is from an executive—some employers may not realize that they have been scammed for days, weeks, or even months after the incident.

If a cybercriminal successfully receives the information, they may use it to immediately attempt to file fraudulent tax returns, or they may sell the data to other criminals on the dark web or use it to commit other crimes.

Business Email Compromise Is Easier Than You Think

W-2 phishing scams are a form of Business Email Compromise (BEC), in which an attacker uses the identity of someone on a corporate network to trick a victim into sending money or information.

And, unfortunately, these types of scams are on the rise. In 2018, the FBI’s Internet Crime Complaint Center (IC3) received more than 20,000 BEC complaints with adjusted losses of over $1.2 billion.

If you don’t think it could happen to your company or your employees, try a simple experiment.

Take five minutes to imagine how a criminal would go about getting information about your company and its employees. They could likely find your executives’ names on your website, and a quick LinkedIn search may divulge who your HR and payroll people are. Another phone call or two strategically placed to a busy assistant and a criminal could learn about an executive’s travel schedule or even confirm the name of the person in charge of payroll. All to ensure the scam runs smoothly.

It seems that no business or organization is immune. W-2 phishing scams have impacted many types of organizations--small and large businesses, public school systems and universities, hospitals, and charities.

How to Better Protect Your Company—and Your People

Safeguarding against the Form W-2 Scam and other types of Business Email Compromise can be challenging. According to the FBI, the key to reducing the risk of falling victim to W-2 phishing scams is to both understand the tactics criminals may use and to deploy effective mitigation processes.

For more information on helping your organization better detect and avoid W-2 phishing scams and other forms of BEC, refer to these recommendations provided by the FBI’s IC3.

In Case of Scam: Get Help

In addition, the IRS provides information on how to report data lost to a W-2 scam, how to communicate with employees about a data loss, and how to report a suspicious email.