Each tax season, new fraudulent scams arise to put taxpayers and businesses on high alert. This year is no different.
The IRS has issued a warning reminiscent of a similar concern from the 2016 tax filing season – beware of an email phishing scam that uses a corporate officer’s name to ask for employee W-2 forms from payroll and human resources departments. For the second year, complaints of this email phishing scam are popping up throughout the U.S, according to the IRS. The newest twist to this scam is asking for money to be transferred by wire and is hitting various types of new unsuspecting taxpayers, including churches, schools and other not-for-profit organizations.
In 2016, cybercriminals duped many payroll and HR employees to hand over employee names, Social Security numbers and income information via email. The cybercriminals then used the information to file tax returns on behalf of the employees, seeking their tax refunds.
Don’t be spoofed
The means of delivering these emails is known as “spoofing.” That is because the cybercriminals create counterfeits of corporate email addresses to trick employees into taking action. In the case of the W-2 scam, it appears the company’s CEO is sending an email to a payroll office or HR employee to request a list of employees and information including Social Security numbers.
In January, the Better Business Bureau Northwest warned businesses of another phishing scam, this time targeting users of Intuit’s QuickBooks software. The email has the subject line “QuickBooks Support: Change Request” and says it is a confirmation from Intuit that a business has changed its name. There is a link in the email that claims to cancel the request, and if victims click on it, they are directed to a site that downloads malware to their device. The cyber criminals can then capture passwords and other personal information from the device.
This is a good reminder that businesses need to set a strong foundation to prevent the ever-growing threat of email phishing in their organization. Building a security awareness program should include training employees on how to identify suspect emails, how to report them and how IT can help communicate current threats.
Don’t let your guard down
As tax filing season continues, businesses and taxpayers should continue to stay vigilant through all forms of communication.
Scammers have long impersonated IRS agents via phone calls, and the latest scam variation is asking “Can you hear me?” or other yes or no questions when the person on the other end picks up. If the person answers “Yes,” the answer is recorded and might be used by the scammer to authorize fraudulent charges on a credit card or a utility or phone bill.
In 2016, scammers used automated telephone calls to solicit W-2 information from payroll professionals. Through these automated calls, which were an effort to reach the largest number of victims as possible, fraudsters also demanded tax payments on gift cards, requested payments for a nonexistent “federal student tax,” pretended to be from the tax preparation industry and claimed to verify return information over the phone.
If you receive a phone call from someone claiming to be from the IRS, call the IRS back at 1-800-829-1040 to find out more information. The IRS continues to remind taxpayers that it will never demand immediate payment over the phone or call about a tax obligation without having first mailed a bill. The IRS also cautions that they will never send a legitimate notice as an attachment to an email. The IRS does not use email or social media to initiate contact with taxpayers.
Click here to learn more about how to protect you and your business from email phishing scams.