Your human resources department is the latest target for scammers trying to steal your identity at tax time.
The IRS is warning companies and other organizations such as schools and nonprofits of a growing W-2 email phishing scam known as business email compromise or business email spoofing. Sophisticated cybercriminals are sending emails to human resources and payroll departments disguised to look as though they’re coming from a high-ranking organization executive.
The email requests a list of all employees and their W-2 forms. Employers who unknowingly comply with the bogus request are compromising the data of all workers.
Reports of the scam focused on companies last year at tax time, but are surfacing earlier in this year and now include school districts, tribal casinos, chain restaurants, staffing agencies and health care organizations, among others, according to the IRS. It illustrates a trend among cybercriminals to shift their focus to large-scale data theft in addition to targeting individuals.
The agency is urging companies to make their employees aware of the scam and to implement a formal policy around sharing W-2 information. Companies that receive such an email should forward it to firstname.lastname@example.org.
Organizations that may have fallen victim to the scam can report the problem to the FBI’s Internet Crime Complaint Center. Employees who believe their data has been compromised should follow the steps recommended by the FTC and the IRS. Filing your taxes early will help you avoid the problem, since scammers will not be able to file using your credentials if you’ve already done so.