The IRS, state tax agencies and the tax prep industry have renewed warnings about an email scam that began last tax season. The scam uses a real corporate officer’s name to request employees’ W-2s from a company’sor HR department.
Last week, the IRS reported that it had already received new notification that this email scam is again plaguing Payroll and HR departments around the nation. It’s urging payroll professionals to double check any executive-level or unusual requests for lists of W-2s or employees’ Social Security numbers (SSNs).
This phishing variation, known as a spoofing email, will often contain the actual name of your company’s CEO or another high-ranking company official. In one variation, the CEO sends an email to the Payroll or HR department and requests a list of employees and their personal identifying information, including SSNs. Be on the lookout for emails that contain this language:
- Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)
- I want you to send me the list of W-2 copy of employees’ wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
Won’t get fooled again
January 31 is D-day for your W-2s and 1099-MISC forms on which you’re reporting non-employee compensation in Box 7. Everything must be filed with the government by the close of business on that day.
But don’t relax your guard about this email scam. We gave some advice last November, which bears repeating now:
- Inform upper that the Payroll department will not respond to emails asking for employees’ personal identifying information. Instead, all requests should be in writing, on paper and verified.
- Require Payroll staff to use strong passwords (numbers, symbols, upper- and lower-case letters) on all computers and tax software programs and—inconvenience aside—require that those passwords be changed every 60 to 90 days.
- Train Payroll staff in security and nondisclosure, especially to outsiders who phone or ask for information to be faxed or emailed.
- Never let employees take home documents on which sensitive data appear. This includes downloading information to a laptop or USB drive.
- Use caution when allowing or granting staff remote access to internal networks that contain sensitive data.