IRS Reports Increase in Email Phishing Scams – W-2 tax Data
The Internal Revenue Service (IRS) Online Fraud Detection & Prevention (OFDP) reported an increase several new variations of IRS and tax-related email phishing scams. The increase uptick began in January 2017. These compromised or spoofed emails scams phish for W-2 information.
The IRS’s Online Fraud Detection & Prevention department monitors online resources for IRS and tax related scams.
OFDP warns that the emails impersonate a human resource (HR) staff member at the recipient’s employer. The goal is to obtain sensitive HR information such as IRS W-2 forms. IRS W-2s contain an employee’s name, address, social security number as well as some data about income and deductions. This is enough information to launch a social engineering attack against the recipient of the phishing scam.
What is an email Phishing Scam?
This scam is just one of several new variations of IRS and tax-related phishing campaigns targeting W-2 information, indicating an increase in the interest of criminals in sensitive tax information.
The IRS may be able to help victims of tax related email phishing scams. According to the IRS bulletin, to alert the IRS and OFDP of a phishing scam contact the IRS immediately. Email IRS at dataloss @ irs . gov and provide the information listed in the bulletin so the IRS can contact you. In the subject line, type “W-2 Data Loss.” Do not attach any employee personally identifiable information!
How to Reduce the Risk of a W-2 Phishing Scam
Businesses and other organization can help reduce the risk of their employees falling prey to email phishing scams. Some of these methods include:
- Limit the number of employees who have the authority to approve wire transfers
- Limit the number of employees that handle tax information
- Verify requests for W-2 information
- Verify wire transfer requests that come from executives
- Verify a change in payment instructions to a vendor or supplier by calling a known phone number to confirm the request
- Verify wire transfers with the bank
- Require double-approval for any wire transfer request involving something out of the ordinary like a high dollar amount or a country where the organization does not normally do business.