The Internal Revenue Service (“IRS”), along with state tax agencies and the tax industry, recently issued a warning to employers about increasingly prevalent “phishing” email scams targeting the W-2 tax form information of employees.

The IRS’s warning comes at the peak of the tax season, when employers are providing their workforces with annual W-2 tax forms. While cyber criminals use a host of techniques to steal sensitive and personal information from organizations and individuals, the specific scheme being warned of involves a cyber criminal posing as an employee or officer of an organization and requesting via email that another employee—usually in the payroll department—send them employees’ W-2 forms. In many cases, the cyber criminal will identify a high-level individual at the organization to impersonate, such as a C-suite executive or school administrator, increasing the likelihood that the payroll employee will comply with the request and provide the sensitive information. The IRS notes that because the fraudulent emails appear legitimate, an organization may not even realize the scam occurred until weeks or months later.

Employee W-2s are a valuable commodity for cyber criminals, as they include an employee’s name, address, Social Security number, income, and withholdings information. After the information is stolen from an employer, the IRS says some criminals will use it to file fraudulent tax returns on behalf of the victimized employees, and others will attempt to sell the information on the Dark Net.

While the phishing email scams are not new, the IRS warns that the number of occurrences continues to rise each tax season. The IRS reports that in 2017 alone over 200 employers were victimized, meaning “hundreds of thousands” of employees had their personal information stolen. To combat this trend, the IRS is proactively seeking to educate employers on how to avoid being scammed, and it also established reporting methods for employers to notify the IRS when they are targeted by a scam.

The IRS hopes its new measures will help organizations avoid these scams altogether. However, given their prevalence and increasing sophistication, even diligent employers may find themselves the victim of a scam. Once the sensitive employee W-2 data is sent to a cyber criminal, the affected employer will likely face numerous legal obligations in addition to internal issues relating to their employees. During last year’s tax season, King & Spalding’s Data, Privacy & Security Group issued a client alert about W-2 phishing scams and the steps that affected employers must take immediately upon discovering they are a victim, including:

• Contacting data security counsel with experience handling W-2 phishing incidents to assess and minimize exposure to legal liability;
• Conducting a privileged investigation into the incident to determine what happened and who is affected;
• Notifying the IRS and relevant state tax authorities so they may protect the accounts of affected employees; and
• Assessing and complying with statutory notification obligations and advising the affected employees of steps to take to prevent identity theft.