With the ongoing risk of identity theft and W-2 scams, a recent news release from the IRS reminds employers to protect employee information and how to report scams.
The W-2 scam in particular has become more prevalent and dangerous. Here’s how it often works:
- A payroll or human resources employee receives an email that appears to be from a supervisor or executive.
- The email usually has a casual and conversational approach, simply asking if the employee is in the office that day, for example. By the end of the email exchange, the sensitive data is requested – perhaps tagged as a need for verification purposes – and all of an organization's Forms W-2 for their employees are in the hands of cybercriminals.
- Because the payroll or HR employee believes they are responding to an internal request, it may take weeks to realize the data theft has occurred.
What to do if you've been scammed
Due to the threat to taxpayers, a special IRS reporting process has been established. The following is a list of reporting instructions for impacted employers:
- Notify the IRS of a W-2 data loss by sending an email to dataloss@irs.gov. To ensure the email can be routed properly, list the subject line as “W2 Data Loss” and include your contact information. Do not include or attach any employee personally identifiable information.
- Get information on how to report victim information to the states by sending an email to the Federation of Tax Administrators at StateAlert@taxadmin.org.
- File a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov. Businesses and payroll service providers may be asked to file a report with their local law enforcement agency as well.
- Forward the scam email to phishing@irs.gov.
Take action quickly
According to the IRS, the criminals often act quickly, sometimes filing fraudulent tax returns within a day or two of the breach.
Finally, the IRS advises employers act quickly and notify employees. The employee may then take steps to protect themselves from identity theft. The Federal Trade Commission's website provides guidance on steps to take.
As we shared in this recent alert, employers should also be aware that they can be responsible for damages in such phishing scams.
How to protect your organization from such scam or phishing threats
Phishing exploits human weaknesses even more than technical vulnerabilities. If you want to effectively protect your network from phishing attacks, address the human source of the problem. This can be addressed first and foremost through educating and training your employees. Most employees are willing to help, but won’t be able to if they don’t know how.
At AGH, our technology professionals are equipped with the tools necessary to help educate your staff on the dangers of phishing and reduce their susceptibility to attacks, as well as how to improve their handling of sensitive information. Our training addresses your employees’ vulnerabilities and leaves them better prepared to protect your information assets.
Additionally, consider consulting with experts at AGH before a cyber crisis happens. An incident response plan and mitigation efforts can help your company recover more quickly and with less disruption should a cyber security incident occur. Finally, the AGH team is prepared to assist in emergency situations as well. Notify us immediately should you find your organization’s data has been compromised.
Don't wait to get started
If you'd like more information on protecting your employees' information or payroll processes from phishing threats, contact Mike Ludlow using the information below.
Mike Ludlow
Payroll Operations Manager
Outsourcing Services
Mike oversees the operations of AGH’s payroll service bureau. He and his team handle payroll processing, reporting, and tax filings for multi-state and multi-site companies.
His 15+ years of experience include accounting, finance, and payroll. Most recently, Mike performed similar functions for an outsourced payroll and accounting provider. He previously gained knowledge as a financial analyst for a technology and document solutions company, where he performed accounting duties, managed a database, and managed an operational team.
Mike is a dynamic process improvement specialist with an eye for detail while maintaining a big picture outlook. He has built and managed employee, customer, and vendor relationships throughout his career.
Information in this document has been obtained by Allen, Gibbs & Houlik, L.C. from sources believed to be reliable. However, AGH does not guarantee the accuracy nor completeness of any information. This communication does not and is not intended to provide legal, accounting or other professional advice or opinions on specific facts or matters, and accordingly, AGH assumes no liability whatsoever in connection with its use. Nothing in this communication can be used to avoid penalties that may be imposed by a governmental taxing authority or agency.