A newer and insidious scam whose targets were once exclusively private-sector businesses is now being used against nonprofit organizations and school districts, according to Better Business Bureau of Minnesota and North Dakota (BBB).
The Internal Revenue Service (IRS) says the “W-2” scam is carried out by criminals who disguise an email to make it look like it came from a top executive or business colleague. The IRS says the phony email is sent to the company or organization’s accounting or human resources department, typically asking for a list of all of the company’s W-2 tax forms, employees’ dates of birth and Social Security numbers.
“Criminals are now focusing on consumers’ personal information because it has a potentially much larger payout than run-of-the-mill credit card fraud,” said Susan Adams Loyd, President and CEO of Better Business Bureau of Minnesota and North Dakota.
This W-2 scheme came to light in 2016. It is believed this type of phishing scheme is perpetrated by individuals or organizations looking to use the pilfered personal information to file fraudulent tax returns. This scam has since developed a new twist in which the cybercriminal subsequently sends an additional email, asking that a wire transfer be made to a specific account outside of the company.
Newer targets of the W-2 scam include, school districts, healthcare providers, chain restaurants, temporary staffing agencies, tribal casinos and delivery companies. This scheme has already successfully targeted a Twin Cities school district in recent days.
Published reports indicate the fake emails may include wording such as: “Can you send me the updated list of employees with full details (Name, Social Security Number, date of birth, home address and salary),” or “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
How to Prevent W-2 theft
- Re-evaluate workplace procedures – The simplest way for criminals to run these operations is if a business lacks the checks and balances necessary to protect employees’ and clients’ information and requests for money transfers by untraceable means.
- Meet with all employees – In the past, this type of activity was not something companies or non-profits gave much thought to. Make sure all employees understand how these schemes work.
- Review written policies – Implement organizational policies to prevent the W-2 and similar office scams from succeeding. This will not only help existing employees, but others who join your organization so that they too will be on their guard.
You can learn more about these and other scams at the Internal Revenue Service’s website, irs.gov/.