IRS Alerts Payroll And HR Professionals To Phishing Scheme Involving W-2s (IR-2016-34)

HK
Holland & Knight

Contributor

Holland & Knight is a global law firm with nearly 2,000 lawyers in offices throughout the world. Our attorneys provide representation in litigation, business, real estate, healthcare and governmental law. Interdisciplinary practice groups and industry-based teams provide clients with access to attorneys throughout the firm, regardless of location.
On March 1, 2016, the IRS began alerting employers and their payroll staff about a phishing scheme that cyber-criminals are successfully using to trick payroll and accounting staff to release their employees' W-2 forms to persons outside the company.
United States Tax

Kathleen Nilles is a partner in Holland & Knight's Washington D.C. office

On March 1, 2016, the Internal Revenue Service (IRS) began alerting employers and their payroll staff about a phishing scheme that cyber-criminals are successfully using to trick payroll and accounting staff to release their employees' W-2 forms to persons outside the company. In most cases, the outsiders are seeking to "monetize" the data—either by filing false refund claims or by selling to data thereby obtained to other cyber-criminals. The gist of the scam is an incoming e-mail made to appear as if it is coming from a company executive, such as its CEO, CFO or controller. The e-mail politely requests the recipient to send the executive a copy of all employee W-2 forms by electronic means, such as a PDF file. We are already hearing from companies and other organizations whose staff members have been tricked by the data requests.

If a tax data breach of this type occurs, there are several measures that a company should take immediately. First, contact should be made with the Criminal Investigation Division (CID) of the IRS. Besides working to apprehend the perpetrators, IRS CID is generally able to immediately put the employees' taxpayer identification numbers (TINs) on a watch list so that fraudulent requests for tax refunds using the employee tax data can be scrutinized and rejected. Second, the company should assist employees with identity theft remediation efforts, including the filing of IRS Form 14039 (Identity Theft Affidavit). Additional measures may also be warranted.

Even if a tax data breach has not occurred, the IRS Release provides companies with a reminder to review and tighten up internal control procedures, particularly as they pertains to the use and handling of employee tax data and personal information. All companies should have a plan in place to prevent and deal with data breaches of this type.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More