State warns employers about W-2 phishing scams

278

The Delaware  Department of Justice’s Consumer Protection Unit is cautioning Delaware  employers to be on guard for fake IRS phone call scams and IRS Form W-2 email phishing scams that are targeting Delaware employers.

The Consumer Protection Unit also warns Delawareans about an email scam that has been circulating nationwide and is targeting a wide variety of public and private-sector employers, including retail businesses, universities, secondary school districts, nonprofit organizations, hospitals, and law firms.

Typically, the scammer sends a “spoofing” email posing as an internal executive or official within the organization, requesting employee payroll data, including IRS W-2 forms that contain Social Security numbers and other personally identifiable information. If these cybercriminals are successful in tricking payroll and human resource officials into disclosing that data, they can use the data to file fraudulent tax returns for refunds and commit other forms of identity theft.

According to the IRS, these are examples of the details that may be contained in some of these emails:

  • “Kindly send me the individual [2018] W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me the list of W-2 copy of employee wage and tax statement for [2018], I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

The IRS has also established a process that will allow employers and payroll service providers to quickly report any data losses related to this W-2 scam: https://www.irs.gov/individuals/form-w2-ssn-data-theft-information-for-businesses-and-payroll-service-providers. The IRS has established a dedicated email address for employers to report W-2 scams and data thefts: dataloss@irs.gov. According to the IRS, if notified in time the IRS can take steps to prevent employees from being victimized by identity thieves filing fraudulent returns in their names. There is also information about how to report receiving the scam email even if an employer did not fall victim to the scam.

The Consumer Protection Unit also reminds employers that if they are victimized by this scam, they have suffered a data breach and may need to give notice to affected individuals under Delaware’s data breach notification law (Title 6, Chapter 12B of the Delaware Code), and may also need to give notice under other applicable state or federal law. Employers who suffer a data breach are encouraged consult with legal counsel to ensure compliance with all applicable data breach notification laws.