As employers prepare to send employees their W-2s for last year by the end of the month, cybercriminals are preparing phishing emails under the guise of company executives requesting personal information on employees. The IRS has warned payroll and human resources professionals of the surge in these schemes particularly during the tax season when companies’ guards may be down and such requests may not appear out of the ordinary. These hackers have become more sophisticated in their schemes by researching the names of company executives and then “spoofing” an email that purports to be from the executive and requests a list of employees and their personal information, including W-2s and social security numbers, from the payroll department. Although email phishing schemes are more common, hackers also may try to gain access to this information by making targeted stealth hacks into a company’s computer systems. Criminals then use this stolen information to sell on the dark web or file fraudulent tax returns in your employees’ names to obtain refunds.

To reduce your risk of falling victim to these schemes, employers, and particularly payroll and human resources departments, should take the following important safety precautions:

• Remind one another that requests for W-2 files should be met with a healthy dose of skepticism. Your CEO, for example, likely has no reason to need all employees’ W-2s, especially not on a rush basis.
• If you receive requests for sensitive information (like W-2s and other personal information), even if it appears to be from someone you know within the company, verify the request with the sender in person or with a phone call to ensure that they actually want and need the information.  
• If you have verified that the request is legitimate, never send W-2s via email unless they are encrypted. If you are unsure how to encrypt a file, ask your IT professional. Encryption keys are best communicated verbally over the phone. Without stating the obvious, sending the key in the same email as the encrypted file defeats the purpose of the encryption. Similarly, sending the encryption key in a separate email is not helpful if an email account has been compromised.
• Immediately investigate any complaints you receive from employees who notify you that they could not file their taxes because someone had apparently already done so in their name. This is often the first warning sign a company will receive that a W-2 data breach has gone undetected in their organization.  
• Do not respond to emails from your spam folders, even if they appear to be from people inside your organization. Thankfully, many of your company’s technical safeguards catch and segregate phishing attempts, so assume an email in that folder is there for a good reason. Many phishing schemes take advantage of email addresses that look indistinguishable from the spoofed address. 

Finally, if your company has reason to believe that it has fallen victim to this scheme, despite your best intentions and efforts to avoid it, take action immediately. Even more so than with standard data breaches involving other types of personal information, thieves of stolen W-2s make use of them very quickly, sometimes within 24 hours. Therefore, you should provide notice to your affected employees as quickly as possible so that they can take action to protect their data and hopefully avoid a fraudulent tax return being filed in their name. Also, states have specific laws regarding who must be notified and, and it what time frame, after a data breach. Consult with an experienced attorney who can counsel you through these breaches to mitigate the harm to your organization and employees. 

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.