Posted by: Heather Shy on February 9, 2018 at 8:00 am
Tax season starts as soon as the W-2s go out, and so do the tax scams.
Which means it’s the wonderful time of the year when we start sending out reminders about what’s new in tax scams, what to watch for, and how to protect your business data and network.
Please share this article with your payroll, finance, and HR staff.
New Direct Deposit Phishing Scam
New this year is a phishing attack targeting direct deposit. It starts with an official-looking email that asks you to click a link and access a website. Next, they ask you to confirm the data with your real username and password. Last, they use your info to access payroll portals, and reroute your direct deposit amounts to bank accounts owned by the bad guys.
As with other scams we’ve seen, the lesson here is to never give anyone your credentials in response to an email.
The W-2 Scam is Now a Classic
Have you heard about the W-2 tax scam? This first hit the news in 2016 and added a fraudulent wire transfer “feature” last year. The IRS is already sending out warnings for 2018. The scam typically goes like this: An email that looks like it comes from the CEO, CFO or other “big boss” is sent to an employee, telling them to send the W-2s of all employees. However, the reply email actually routes back to the scammers.
Tavis put together this video about how the scam works and what to watch for:
Unfortunately, if the employee complies, the criminals now have the name, address, Social Security number, income and withholdings of every single one of your employees. They can use that information to file fraudulent tax returns, sell it on the Dark Net, and other evil deeds.
How to Protect Your Business and Staff
The IRS recommends that businesses set up the following policies to protect their information and employees:
- Limit the number of employees who have authority to handle Form W-2 requests.
- Require additional verification procedures to validate the actual request before emailing sensitive data. That can be by text, a quick phone call, or in-person chat.
We would add:
- Review “Urgent” emails very carefully, including the “From” and “Reply to” fields.
- Never send out confidential data in bulk.
- Educate staff on the importance of being thorough.
- Invest in email monitoring such as Microsoft Defender for Office 365.
- Call TAZ Networks to talk to a consultant with any questions.
All of the above is also good policy for wire transfer requests, which often go hand-in-hand with other tax scams. Limit who can authorize wire transfers, set up additional verification policies, and let staff know about the risk.
According to IRS.gov, W-2 scam victims should notify the IRS that they’ve been compromised. Here’s how (source):
- Email email@example.com to notify the IRS of a Form W-2 data loss and provide contact information, as listed below.
- In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.
- Include the following:
- Business name
- Business employer identification number (EIN) associated with the data loss
- Contact name
- Contact phone number
- Summary of how the data loss occurred
- Volume of employees impacted
What if you only receive a suspicious email, but don’t fall for it? You can still help the IRS fight these bad guys. Forward the full email to firstname.lastname@example.org and use “W2 Scam” in the subject line.
This tax season, like every other, stay alert for tax scams like this, and always think before you click!