The IRS is explaining, in a recent release, what employers should do if they become the victim of a W-2 scam.

Background Information

Any employer could become the target of a W-2 scam. In recent years, these scams have become one of the more dangerous e-mail crimes involving tax administration. The e-mails appear to be from an executive or organization leader to a payroll or human resources employee. It may start with a simple, “Hey, you in today?” and then asks for tax and personal information about employees. By the end of the exchange, all of an organization’s Forms W-2 for their employees may be in the hands of cybercriminals. This puts workers at risk for tax-related identity theft.

Because payroll officials believe they are corresponding with a company executive, it may take weeks for someone to realize a data theft has occurred. Generally, the criminals are trying to quickly take advantage of the theft. In some cases, they file fraudulent tax returns within a day or two to steal tax refunds. This scam is such a threat to taxpayers that a special IRS reporting process has been established. 

The IRS is advising employers who are the victims of this scheme to report it as follows:

  • E-mail dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type “W2 Data Loss” so that the e-mail can be properly routed. Don’t attach any information about employees’ personally identifiable data.
  • E-mail the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
  • A business/payroll service provider should file a complaint with the FBI’s Internet Crime Complaint Center (IC3.gov). A business/payroll service provider may be asked to file a report with their local law enforcement agency.
  • Notify employees so they can take steps to protect themselves from identity theft. The Federal Trade Commission’s www.identitytheft.gov provides guidance on general steps employees should take.
  • Forward the scam e-mail to phishing@irs.gov.

The IRS is also encouraging employers to put steps and protocols in place for the sharing of sensitive employee information such as Forms W-2. One example would be to have two people review any distribution of sensitive W-2 data or wire transfers. Another example would be to require a verbal confirmation before e-mailing W-2 data. Employers also are urged to educate their payroll or human resources departments about these scams.