The IRS is warning organizations about an email “phishing” scam targeting human resources departments. An email that appears to be from a company executive will ask someone in HR or payroll to send W-2 forms or a list of employees with their salaries and personal information. Victimized companies have inadvertently sent employees’ Social Security numbers and other sensitive data to the scammers, who can then use the information to file bogus tax returns and obtain fraudulent refunds.
The W-2 phishing scam appeared last year, primarily targeting for-profit companies. This year the scammers are also going after school districts, tribal organizations and nonprofits. IRS Commissioner John Koskinen has called it “one of the most dangerous email phishing scams we’ve seen in a long time.”
Unfortunately, the W-2 phishing scam is one of many email and malware schemes attempting to defraud taxpayers. The IRS reported a 400-percent uptick in phishing and malware incidents during the 2016 tax filing season, and the flood of attacks doesn’t appear to be abating. New and evolving phishing scams have already appeared in recent weeks, prompting the IRS to put phishing at the top of its “Dirty Dozen” list of tax scams for 2017.
In most of these scams, criminals send emails that appear to be from the IRS, a tax software provider or another trusted person or organization. In some cases, they may hack into an email account in order to send the phishing emails from a legitimate address. These emails ask for personal information, or claim that the taxpayer is due a big refund or owes a big tax bill. Often, the email will contain a malicious attachment or link that infects the victim’s computer with malware.
Remember, scammers continue to use phishing techniques because they work. In a recent study of a mock phishing attack, 78 percent of participants stated that they were aware of the risks of unknown links but 45 percent clicked anyway when sent a phishing email.
You can avoid becoming a victim of an IRS scam if you keep these things in mind:
- The IRS generally does not communicate with taxpayers via email, and never requests sensitive information via email, text message or other electronic means.
- When the IRS does communicate with taxpayers, it will address correspondence to the taxpayer’s name, not “Taxpayer,” “Beneficiary” or other generic term.
- Official IRS email addresses end in “irs.gov” or “treas.gov.” IRS forms and publications are found on the irs.gov website.
- While the IRS won’t win any literary awards, it is careful about spelling, grammar and punctuation. Scam emails are often riddled with errors.
If you receive a suspicious communication that purports to be from the IRS, visit the Report Phishing and Scams page for instructions on what to do. If you receive what appears to be an internal email requesting sensitive information, ask the person if he or she sent it, or offer to provide the information in a secure way.
It also makes good sense to implement an effective spam filtering solution as well as security tools that can detect spoofed “from” addresses and suspicious email content. Contact Verteks for assistance.
