With the US tax season well and truly underway, scammers are coming out of the woodwork to try and earn a little of your well-deserved moolah.
According to an alert issued in late February by the FBI, the IRS’s Online Fraud Detection & Prevention (OFDP) department has observed an increase in reports of phishing emails requesting sensitive data. Specifically, the emails are seeking access to W-2s, the forms used to report wages for tax purposes and therefore include lots of sensitive information.
According to the release, HR personnel are being increasingly targeted by scammers as they shift their priorities away from individual property theft and instead focus on strategies that will net them mass data. In the latest rash of phishing emails, the FBI notes that “the most popular method remains impersonating an executive, either through a compromised or spoofed email in order to obtain W-2 information from a Human Resource (HR) professional within the same organization.” The requests are typically followed by or combined with information requesting an unauthorized wire transfer.
To avoid falling prey to these scammers, the bureau suggests that business limit the number of employees eligible to handle W-2-related information requests or tasks and can add in a further layer of protection by also limiting the number of employees eligible to approve and/or conduct wire transfers. Further, the feds recommend that any information request seemingly coming from an internal employee should be verified with a simple and quick phone call to verify that the request is indeed legitimate.
Now, if you’re entering the panic zone because you’ve already encountered – and provided information – as part of a phishing email, do not despair. “If notified quickly after the loss, the IRS may be able to take steps that help protect your employees from tax-related identity theft,” the FBI noted. To contact the IRS about such a situation, email them at firstname.lastname@example.org with the subject line “W-2 data loss” so that they can route your email accordingly. In that email, do not provide any sensitive information, but do include your business’s name, the employer identification number associated with the data loss, your contact name and phone number, a summary of how the data loss occurred, and the number of employees potentially impacted.
Beyond the IRS, you’ll also need to take action to let the Federation of Tax Administrators know of the breach. You can contact them at StateAlert@taxadmin.org and they will provide information on next steps. Similarly, you’ll want to loop in the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov, as well as reach out to your local police department to file a report.
Now, if you have received a phishing email, but chose to ignore it, first give yourself a pat on the back, and then go ahead and forward it along to the IRS so that they can analyze it as part of their ongoing investigations into these types of crimes. To report phishing emails, please follow the steps outlined here.
It should also be noted that the IRS will never contact you via email, except in cases where it is in response to an email request that you have previously made (such as in the circumstances outlined above). Other modes of communication not used by the IRS – but certainly favorited by scammers – include contacting users via social media platforms like Facebook or Twitter, as well as simple phone calls requesting sensitive data (they might call, but they wouldn’t request data).
Stay safe and stay vigilant this tax season!