What should you do if your company becomes the victim of a W-2 scam? The IRS recently explained how to report the scam and your next steps (and how to avoid being taken in by this scam!).

What Is A W-2 Scam?

Any company can be the target of a W-2 scam. These scams have become one of the most dangerous e-mail crimes involving tax administration in recent years. In brief, the e-mail look to be from an executive or organization leader to a payroll or HR employee. It asks for tax and personal information about employees, and by the end of the exchange, all of an organization’s Forms W-2 for their employees may be in the possession of cybercriminals. Workers end up at risk for tax-related identity theft.

Since payroll officials think they have corresponded with a company executive, it can take time for the data theft to be discovered. The criminals are able to take advantage of this lag, going ahead and filing fraudulent tax returns within days to steal tax refunds. This is such a threat to taxpayers that a special IRS reporting process has been established.

How to Report the Scam

The IRS advises employers who have been victims of this scheme to report it through these five steps:

• E-mail dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. The subject line should read “W2 Data Loss” so that it can be routed properly. Do not attach any information about employees’ personally identifiable data.
• E-mail the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
• A business/payroll service provider needs to file a complaint with the FBI’s Internet Crime Complaint Center (IC3.gov). Such providers may be also asked to file a report with their local law enforcement agency.
• Let employees know so they can take steps to protect themselves from identity theft. The Federal Trade Commission’s identitytheft.gov details general steps employees should take.
• Forward the scam e-mail to phishing@irs.gov.

The IRS also encourages employers to put protocols in place for sharing sensitive employee information including W-2 forms. For instance, you might require any distribution of sensitive W-2 data or wire transfers require two people to review in advance. Another example would be requiring a verbal confirmation before e-mailing W-2 data. And employers are strongly urged to educate their payroll and human resources departments about these scams—they are the first line of defense.