STATEWIDE —The Colorado Department of Revenue (CDOR) joins the IRS in promoting the “Don’t Take the Bait” campaign, a fraud awareness series aimed at tax professionals. CDOR partners with the IRS, other state revenue departments and tax professionals to help combat refund fraud.

During 2017, the IRS saw a rise in the W-2 scam, or more formally known as a business email compromise (BEC). A BEC is an email sent to a payroll, financial or human resources employee by a cybercriminal who is able to “spoof” or impersonate an executive’s email address within a company or organization. The email message contains a request usually asking the receiver to forward employee form W-2 information or transfer funds into a specified account (wire transfer).

The Form W-2 contains sensitive information including the employee’s name, address, Social Security number, income and withholdings. Once criminals have access to this information, they can file fraudulent tax returns or profit from selling it. During the 2016 filing season, the IRS found criminals were immediately filing fraudulent tax returns identical to the actual income received by employees, making it more difficult to detect the fraud.

This scam is one of the most dangerous phishing email schemes targeting tax administrations nationwide with the number of targeted organizations increasing from 50 in 2016, to 200 in 2017. Businesses, public schools, universities, tribal governments and nonprofits were among those affected with several hundred thousand employees’ sensitive data stolen. The FBI has identified the culprits to be national and international organized crime groups who have targeted organizations and businesses in all 50 states and 100 countries worldwide. The IRS encourages tax professionals to be mindful of threats to their own systems and to educate their clients about the dangers of BEC scams.

What steps can tax professionals take to prevent the W-2 scam?

• Verbally confirm requests for W-2s, wire transfers or any sensitive data exchanges.

• Verify requests and require a secondary sign-off by company personnel for location changes in vendor payments.

• Educate employees about the W-2 scam, especially those with access and authorization to make changes to sensitive information.

• Get assistance from an IT professional to implement the following FBI security recommendations.

1. Create a rule in your organization’s email communications to flag emails                       where the “reply” email address is different than the “from” email address.

2. Create a rule in your organization’s email communications to flag any e-mails               with extensions similar to company emails.

Businesses and organizations victimized by these attacks are advised to notify the IRS so steps can be taken to help prevent employees from being victims of tax-related identity theft. Victims of W-2 theft should contact the IRS at [email protected] with “W-2 scam” in the subject line of the email and information about the point of contact included in the message.

Businesses and organizations that receive a suspect email, but are not victims of the scam, can forward the email to [email protected] with “W-2 scam” in the subject line. Visit IRS.gov/e-file-providers/dont-take-the-bait for more information on the W-2 scam and the “Don’t Take the Bait” campaign.