Your small business is responsible for collecting, verifying, and processing heaps of financial information during tax season (which begins on January 23, 2023). During this period, it’s often necessary to send and request files to and from various departments, partners, and vendors to comply with IRS due dates and avoid tax penalties.
But taxpayers and businesses aren’t the only ones keeping busy during tax season. Cybercriminals, fraudsters, and scammers prey on unsuspecting businesses to steal sensitive information about employees.
In many cases, this type of cybercrime takes the form of a W-2 scam. Let’s look at what W-2 scams are, how they work, why it’s important to prevent them, and what you can do if you fall victim to a W-2 scam.
What Are W-2 Phishing Scams?
A W-2 scam is when someone poses as a company employee or executive to gain access to the personal information included in team members' Form W-2.
The stolen information is then used to file fraudulent tax returns and claim your employees’ refunds. This causes complications for your employees when it’s time for them to submit their returns, since it looks like they’ve already received their tax refunds.
The scammer might also use the employee’s personally identifiable information (PII) to take out new debt or sell the information to other criminals (for example, on the dark web).
So, what, exactly can a scammer see on a W-2? These forms include:
- Social Security number (SSN)
- Annual income
- Taxes withheld
Form W-2 information also includes your business’s employer identification number (EIN) and state ID number.
This worrisome scam is a form of phishing, called a business email compromise (BEC), and it usually starts with an email.
How Do These Scams Work?
Typically, a W-2 scam begins when a fraudster combs through your business’s social media profiles, website, and LinkedIn to gather employee information, including titles, responsibilities, email addresses, and relationships.
This information is then used to pose as a higher-up “persona,” like a company executive, owner, or HR director.
When tax season begins, the scammer forges—or “spoofs”—an email address to appear as if it belongs to the impersonated individual. (For example, YourCEOsName@YourBusinessName.net.)
After spoofing a legitimate-looking email address, the scammer sends a W-2 phishing email to your company’s accountant or human resources representative with a request for your company’s W-2 forms. They may also target individual employees—particularly new, junior, or entry-level employees—emailing them with a request for W-2 information.
Because the request appears authentic, the recipient has little reason to reject it. As a result, the scammer gets access to the personal information included on each W-2 form. With each Form W-2 in hand, the scammer then has what they need to either file a fraudulent return or make some quick cash by selling the information.
What Do W-2 Scam Emails Look Like?
According to the Internal Revenue Service (IRS), examples of a W-2 scam email are:
- Kindly send me the individual 2022 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2022, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
How W-2 Scams Negatively Impact Your Business and Your Employees
The FTC records phishing schemes and W-2 scams as instances of tax-related identity theft and fraud. According to its 2021 Consumer Sentinel Network Data Book, identity theft accounted for 1,434,676 total reports, with tax fraud making up about 6.2 percent of those reports.
What does this mean for your small business and employees?
As mentioned, Form W-2 includes sensitive personal information—including all the details a scammer needs to steal an employee’s identity, claim an employee’s tax refund, or take out new debt in an employee’s name. W-2 scams can also delay the processing of a legitimate tax return.
Additionally, the collected information might even be listed and sold on the dark web, resulting in further cybercrimes, such as additional acts of identity theft or data breaches (including the ability to steal your employees’ personal passwords or gain access to their personal banking, credit, and social media accounts).
From a small business standpoint, a successful W-2 email scam can cause a variety of issues. For example, it can expose your company to potential legal issues, like a class-action lawsuit.
It can also negatively impact your budget and bottom line. Handling the fallout of a successful W-2 scam can result in increased labor hours and costs, a rise in your cyber insurance premium, and a potential hit to your business reputation. It can also impact employee morale and turnover, complicating regular business operations and increasing expenses.
How to Protect Your Business From W-2 Scams
Your small business needs to implement a proactive prevention strategy to protect you and your employees from falling victim to W-2 scams. So how, exactly, do you do that? Some steps you’ll want to take include:
- Assessing your risk: Risk management is a process of reviewing your current systems and processes to help identify, assess, and mitigate vulnerabilities that can threaten your business and its employees. Effective risk management can reveal security flaws—like ineffective email filters, insufficient (or nonexistent) encryption, and weak or stolen passwords and credentials—that allow cybercriminals to spoof emails or identify lax policies that make you more vulnerable to potential W-2 scams. It can also reveal gaps in insurance coverage—like low coverage limits or lacking the proper policy—that can protect your business from financial damage after a successful W-2 scam or phishing scheme.
- Training your team on cybersecurity techniques: The more informed your employees are, the less vulnerable they’ll be to getting scammed. Provide your employees with frequent training on best practices to avoid and recognize W-2 scams. Share resources, such as recent consumer alerts and known tax scams, that help employees identify common techniques for stealing company data. Teach employees to identify spoofed emails, verify the authenticity of links, and recognize scam email tells—such as misspellings, incorrect grammar, and doctored logos.
- Instituting scam prevention policies: The FBI recommends businesses protect against W-2 scams by limiting the number of employees with access to employees’ personal information, verbally or physically authenticating requests for W-2 forms, verifying the identity of a requesting party through alternative methods (such as a phone call or text), and requiring dual-approval for potentially suspicious requests.
- Simulating W-2 scams: Craft and send mock email scams to your employees to call attention to existing vulnerabilities and areas where you can improve training. Use the information you learn during practice to continually hone and improve your processes and cover new techniques in your next training session.
- Sharing real-world examples of W-2 scams: Nothing drives home the severity of a threat like a real-world example. Share news reports that demonstrate the impact a W-2 scam has on a business and its employees to highlight the importance of prevention and protection.
What to Do if You’re a Victim of a W-2 Phishing Scam
Cybercriminals and fraudsters are persistent; they’re constantly looking for ways to bypass your risk avoidance methods.
Fortunately, understanding how you and your employees should respond to a successful W-2 scam can mitigate the extent of its damage and make matters right.
As a small business owner, you’re responsible for protecting your employees and their information. If your business falls victim to a W-2 scam, your response can limit the damage done to both your employees and the business itself.
Here’s what to do if you find yourself dealing with a W2 scam:
- Email the IRS: Send an email to firstname.lastname@example.org with the subject line “W2 Data Loss.” In your email, include the name of your business, your EIN, your contact information, how the W-2 scam happened, and the number of employees affected. Do not include any employee information.
- Report the fraud to your state tax agency: Report the W-2 scam to your state tax agency. You can email StateAlert@taxadmin.org for information on who to contact.
- File a complaint with the Internet Crime Complaint Center: Businesses and payroll service providers should also file a complaint with the FBI’s Internet Crime Complaint Center (IC3). You might also be asked to provide details to your local law enforcement agency.
- Alert your employees: After alerting the IRS, your state tax agency, and law enforcement, you need to tell your employees about the data theft. This lets them take steps to protect their identities and finances and prepare to deal with the consequences of the W-2 scam.
- Contact your insurance company: If you have cyber insurance, you should contact your insurance company to begin the claims process. You should also contact your IT department to determine if there have been any other data breaches or ongoing security risks that need to be mitigated and resolved, like stolen or exposed passwords, keyloggers that record what employees type, or malware that steals and transmits sensitive employee data.
If you receive a W-2 phishing email—but don’t fall for the scam—it’s still important to alert the authorities. In this situation, the IRS asks that you:
- Save the W-2 scam email as a file on your computer.
- Keep the email headers intact and in plain ASCII text format.
- Attach the saved file in an email to email@example.com with the subject line “W2 Scam.”
- File a complaint with the IC3.
It’s not just small businesses that need to deal with the consequences of a W-2 scam. Employees need to take steps to protect their personal information—which is why it’s so important for you to alert them to a successful data theft as soon as possible.
The IRS recommends that your employees:
- Read the Taxpayer Guide to Identity Theft, Publication 5027, Identity Theft Information for Taxpayers, and Publication 4524, Security Awareness for Taxpayers.
- Contact one of the three credit bureaus to place a fraud alert or credit freeze on their accounts.
- Report potential identity theft on IdentityTheft.gov.
In addition, employees should keep a close eye on their credit reports through services like AnnualCreditReport.com. They might also wish to cancel or freeze credit and debit cards, contact their insurance companies, and change passwords.
Frequently Asked Questions About W-2 Scams
Still have questions about Form W-2 and W-2 scams? Let’s look at some FAQs regarding W-2s and W-2 phishing scams.
Can someone steal your identity with your W-2?
Yes. Form W-2 includes your personally identifiable information, including your name, address, and Social Security number. Criminals can use this information to steal your identity, apply for credit and loans, and cause significant financial harm if not stopped in time.
What happens if someone finds your W-2 form?
Someone who finds a W-2 form that doesn’t belong to them should ignore it, return it to their employer, or mark it “return to sender” and place it back into a mailbox (if it was mailed and is still inside its envelope).
It is illegal and fraudulent for someone to use the information on your W-2 form to file a tax return, apply for credit, or do anything else they don’t have permission to do or aren’t authorized to do on your behalf (as would be the case with a tax preparer or accountant).
If you never received your W-2 and you have reason to believe it was stolen or tampered with, you should proceed as if you fell victim to a W-2 scam. You should also monitor your finances and credit to determine if your identity was stolen and take steps to mitigate any damage.
Is W-2 mail legal?
Yes. The IRS requires that employees receive Form W-2 electronically or by mail. Though federal law prohibits anyone from stealing or tampering with mail, make sure your employer has the correct address and contact information on file before they begin processing W-2 forms.
Take a Proactive Stance Against W-2 Scams and Identity Theft
As a small business owner and employer, you’re responsible for properly handling and safeguarding your employees’ personally identifiable information. W-2 scams can expose this information to cybercriminals and fraudsters, causing significant financial harm to both your business and its employees.
Avoid falling victim to W-2 phishing scams by implementing policies and procedures that proactively protect against data theft. Train your employees to recognize scams and understand the process for dealing with successful phishing attempts to mitigate damage and protect your business and employees.