Explore All Topics

IRS Issues Alert For W-2 Phishing Scams

2 min read

2 min read

Have you heard about the business email compromise (BEC) or business email spoofing (BES) scam? These scams involve phishing, where scammers pose as legitimate companies to obtain personal information in order to file fraudulent tax returns.

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.

With phishing scams, the cyber criminals’ goal is to lure employees to provide personal information, like your name, Social Security number, and birthdate– all critical requirements for submitting tax information.

Who is Targeted with W-2 Phishing Scams?

With this type of scam, any business entities or organizations in America could be a target. While scammers originally focused their effort on for-profit corporations, they are now targeting school districts, restaurants, hospitals, tribal organizations, and non-profit organizations. People in payroll, human resources, and accounting have a higher likelihood of being targeted, as they have access to employees’ personal information.

“After I had already gone through the stuff with the IRS, [my company] sent out a mass email saying our W-2s were compromised. A lot of the people who work for the company had this same thing happen where they were getting their taxes rejected because someone had already filed them with their Social Security numbers… You guys really helped me out… Calmed my nerves.” – Jackie K. (2017 Tax Identity Shield Member)

 How Does The W-2 Phishing Scam Work?

  1. Scammers send a fake email posing as a legitimate corporate employee.
  2. Scammers request information about employee W-2 forms and earnings summaries from a company’s payroll or HR department.
  3. Some scammers even ask for a list of employees with personal information (first and last name, date of birth, Social Security number, home address, phone number, and salary).

Take Action

The IRS published an official announcement about this scam to alert the public and educate them about the scam. While some companies and individuals might have been alerted in time, others may not have. If you’ve received a BEC scam email, take the following steps:

  • Forward it to the IRS Phishing Division at phishing@irs.gov. The subject line should read “W2 Scam”
  • File a complaint with the Internet Crime Complaint Center (IC3), operated by the Federal Bureau of Investigation
  • Alert state tax agencies at StateAlert@taxadmin.org

If you believe you might be a victim of a phishing scam, you should consider learning more about Tax Identity Shield® from H&R Block. (If you are already a member, sign in here.)

Was this topic helpful?