How To Protect Yourself Against The W-2 Phishing Scam

As if tax time isn't stressful enough, it also happens to be the time of year when the W-2 phishing scam goes into overdrive. Your W-2 is the form your employer provides to you at the end of the tax year. It includes your personal information, like your name, address, and Social Security number. It also details your earnings, your chosen withholdings, and everything you need in order to file your taxes.
A glance at your W-2 is all a scammer needs to commit fraud. What is the W-2 phishing scam and why is the IRS so concerned about it? Here's how to identify scammers and protect yourself from fraud.

What Is The W-2 Phishing Scam?

The W-2 phishing scam is a concerted effort by fraudsters to get you to hand over your tax forms. These scammers don't discriminate. They might send an email to your personal or work email. They might also target HR managers or other staff with access to the entire company's tax forms. If you send over your form, the person hiding behind the account can then file fraudulent tax returns.
That means they can upload the returns and collect the refunds. When you or your employees then try to file your taxes, you'll find out that someone already sent in their return and collected the money.

How To Recognize A Phishing Scam

W-2 phishing scams come in different forms, but all will try to pose as someone legitimately interested in your tax forms. For example, they might set-up a spoof email to try to impersonate the CEO of your company. Their email will politely request that you send your tax returns to them by email. The email might look incredibly legitimate.
Even a federal cybersecurity contractor fell for one email and turned over access to all employee tax documents. It's rare for a manager or company leader to ask for tax forms, especially over email. Additionally, the IRS Will Never ask for this information via email.

What To Do If You Think You Have A Phishing Email

Most of us have email inboxes protected by various layers of security and artificial intelligence that send suspicious emails packing. But some emails still creep in. W-2 phishing email scams tend to come from email addresses posing as legitimate addresses or people. They are almost always unsolicited.
If you find a phishing email, mark it as junk mail or spam and do not respond - not even to be funny. If you can tell from the address or subject line that the email is strange, don't even open it. If you think you recognize the person or the company, contact them by phone using a phone number you know is real.
Do not use the information contained in the email. No matter what, be sure never to open an attachment in an email you don't fully trust. Clicking links or downloading attachments makes you vulnerable to malware and viruses that can attack your systems.

What To Do When It Comes From The "IRS"

Did you receive an email claiming to come from the IRS? The IRS wants you to report it. Forward the email to phishing@irs.gov and then delete the original email. The IRS requests that you only share the W-2 phishing scam with that email. If you get an email for relating to a different IRS scam (fake invoices, wire transfer, title/escrow issues), then report the problem to the Internet Crime Complain Center.
Did you reply to the phishing email and wonder if you did the wrong thing? Make sure to tell the IRS if you were a victim of the scam. Remember: the IRS never contacts taxpayers via email, text, or social media. Any information requests come through the post and using official IRS forms.

How To Protect Your Office Against The Scammers

The W-2 phishing scam evolves every year as people become more aware of the techniques used. There are two ways to protect your workforce from this type of tax scam.

1. Train Your Team

Scammers attempting to score your financial documents don't rely on technological tricks. Instead, they rely on misinformation and a lack of security awareness. Make sure W-2 scams are part of your entire workforce's digital security training. Build it into your suspicious email category, and share examples of previous scams, so everyone knows what to look for.
You can't stop your employees from getting the email, but you can train them to recognize a fraudulent one. Don't forget to remind all employees to report suspicious emails to your IT team or leadership. The IRS wants to know about new changes to the W-2 phishing scam.

2. Use Human Two-Factor Authentication

Second, put a process in place for double-checking the authenticity of these requests. If someone in administration or elsewhere in the company gets an email asking for personal details, they need a way to double check. It needs to exist outside of the email chain in question. The simplest way is to cross-check the request with the person asking directly.
If they claim to be in your company or with your accountant agency, pick up the phone and call them from the number you know belongs to them (not the number in the email).

Don't Give Out Your Tax Records

There are very few reasons that anyone will ask for your W-2 outside of a W-2 phishing scam. If you get a strange request personally or as an administrator, be sure to cross-check the request with someone knowledgable. Remember, these scammers rely on ignorance and confusion far more than on technical skill.
Do you need proof of a paycheck or your W-2? You don't need to wait for your employer to send it. You can create yours securely with the paystub maker. Try it out today!