The Internal Revenue Service, along with state tax authorities are cautioning businesses to beware of an email phishing scam using a corporate officer’s name asking for employee W-2 forms from payroll and human resources departments at companies.
Company payroll officers must double-check any executive-level or unusual requests for lists of Form W-2 or Social Security number they receive by email.
Cybercriminals trick payroll and HR employees into giving employee names, SSNs and income information in response to the emails. Identity thieves then file tax returns using the employees’ W-2 information seeking their tax refunds.
The variation on the phishing scheme is known as a “spoofing” email. It may include the actual name of a company CEO. In this variation, the purported CEO sends an email to a company payroll office or HR employee and requests a list of employees and information including SSNs.
The following is an example of a request that may be included in an email:
“Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all Forms W-2 of our company staff for a quick review.”
This post was written by Larry Blair.