It's officially here, tax season. Ugh! January 23 was the first day you could file online and scammers are already out in force.
The U.S. Treasury Inspector for Tax Administration said that various cases of tax fraud have cost victims over $50 million since 2013. Unfortunately, it looks like these scams could be worse than ever now.
The IRS has issued an alert warning employers that a W-2 email phishing scam has evolved beyond the corporate world. Not only is the scam spreading, but it's also incorporating other techniques intended to line the criminals' pockets with even more stolen money.
How the latest tax scam works
Cybercriminals are using various spoofing techniques to make fake emails appear to be from an executive within an organization. The email is sent to employees in payroll or HR asking for a list of all employees and their W-2 forms. This is a type of business email compromise (BEC) scam.
If an employee gives the scammer your W-2 form, there are many terrible potential consequences. The criminal will have your personal data, which can lead to many forms of theft. Also, they could file a fraudulent tax return in your name.
According to the IRS, here are some details that are being found in the fake emails:
- Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees' with full details (Name, Social Security Number, Date of Birth, Home Address, Salary.)
- I want you to send me the list of W-2 copy of employees' wage and tax statement for 2016. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.
Scammers aren't stopping there. On top of asking for W-2 forms, the criminal is sending another email to payroll or the comptroller requesting a wire transfer be made to a certain account. Phishing scammers actually tried to target our Komando.com studios with one of these types of attacks not long ago, they failed.
Some companies have fallen for both of these scams, though. They lost both employees' W-2 forms and thousands of dollars due to wire transfers.
The IRS is urging all employers to warn their payroll, finance and human resources departments about these scams. They are also suggesting companies create an internal policy on the distribution of employee W-2 information as well as conducting wire transfers.
What you need to do
The IRS is giving steps that both employers and employees need to take if impacted by the W-2 scam.
Steps for organizations:
- Organizations receiving a W-2 scam email should forward it to email@example.com and place "W2 Scam" in the subject line.
- Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3). It's operated by the FBI.
Steps for employees:
- Employees whose W-2 forms have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
- Employees should file a Form 14039, Identity Theft Affidavit, if the employee's own tax return is rejected because of a duplicate Social Security number or if instructed to do so by the IRS.
These latest scams are variations of others that have appeared in the past year focusing on large-scale thefts of sensitive tax information. Individual taxpayers can also be targeted with these types of phishing scams.
The IRS says taxpayers should not use search engines to find technical help with taxes or tax software. Selecting the wrong link could lead to a loss of data or an infected computer.
Also, software tech support will not call users randomly. This is another type of scam.
If you need help finding a paid tax professional for tax help, you can use the IRS Choosing a Tax Professional lookup tool. If you want free help, you can review the Free Tax Return Preparation Programs.
Taxpayers looking for tax software can use Free File, which offers 12 brand-name products for free, at www.irs.gov/freefile. If you are looking for tech support for your software products, go directly to the provider's webpage.
How to avoid phishing attacks
Since these tax scams begin with a phishing email, it's good to know how to avoid falling victim. Here are some suggestions that will help:
- Be vigilant with email communication - Check email addresses carefully, especially those coming from executives asking for financial transactions. A missing character on the address could spell the difference between safety and compromise. If an executive requests a wire transfer or sensitive information, verify its validity before following through.
- Be cautious with links - If you get an email or notification from a site that you find suspicious, don't click on its links. It's better to type the website's address directly into a browser than clicking on a link. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn't what the link claims, do not click on it.
- Do an online search - If you get a notification about something that seems suspicious, do an online search on the topic. If it's a scam, there are probably people online complaining about it and you can find more information.
- Watch for typos - Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.
- Use multi-level authentication - When available, you should be using multi-level authentication. This is when you have at least two forms of verification, such as a password and a security question before you log into any sensitive accounts.
- Have strong security software - Having strong protection on your family's gadgets is very important. The best defense against digital threats is strong security software.