According to the IRS, the amount of phishing scams targeting W-2 forms rose sharply this year compared to last. In 2016, around 50 companies and organizations fell victim to such scams while during this year’s tax season, that number increased to around 200. They were aimed at businesses, public schools, universities and nonprofits among others and several hundred thousand employees’ data were stolen.
Most of the scams work by sending a fake email that looks like it’s coming from a company executive to someone in the organization that has access to W-2s — payroll, human resources or financial department employees, for example. The email typically asks for an employee list and W-2s and sometimes requests a wire transfer as well. Since the beginning of 2015, the FBI reports that the amount of confirmed losses from business email scams has increased by 1,300 percent and now totals over $3 billion.
The IRS is asking businesses that have been victimized by these sorts of scams to report them via email through email@example.com. Those that may have been targeted by a W-2 phishing scam but didn’t expose any data should email firstname.lastname@example.org. In both cases, “W-2 scam” should be used as the subject line. Businesses and organizations should also report the scams to the FBI through its Internet Crime Complaint Center.