W-2 Scam Targets Businesses, Nonprofits, and Tribal Organizations as Tax Filing Deadline Approaches

The Attorney General’s Office of Consumer Protection (OCP) has received multiple reports of businesses being targeted by a sophisticated “spear phishing” email scam that is also known as the “CEO Scam” or the “W-2 Scam.”  While OCP has only received reports of three businesses falling victim to this scam so far in Montana, nationally, other entities have been targeted in this scam, such as nonprofit and tribal organizations.  The Internal Revenue Service (IRS) warns that this scheme is meant to compromise the personal information of as many people as possible within each targeted organization.

“Spear phishing” is a more focused form of “phishing,” or posing as a legitimate source to gain access to sensitive personal identification and financial information.  “Spear phishing” emails are sent to specifically targeted recipients and are designed to look like they were sent from someone the recipient knows and interacts with – possibly a business owner, a supervisor, a colleague, or a department manager.  The email’s subject line and content are likely to be specific to the target recipient’s business responsibilities or interests.

“This ‘spear phishing’ scam is especially despicable because it takes advantage of the trust that colleagues build between each other,” said Montana Attorney General Tim Fox.  “These cybercriminals often research their intended target by exploring the target recipient’s LinkedIn and other social media pages to build a convincing email.  It’s easy to fall victim to those emails.  Educating Montana businesses, charities, schools, tribal organizations, and others about the existence of this type of scam is the best defense we have,” Attorney General Fox added.

The Montana Office of Consumer Protection has received dozens of notices about the following specific “spear phishing” scam as the April 18 tax deadline approaches:

A person pretending to be a company executive sends an email to a staff member, usually someone who works in the human resources or payroll department.  Cybercriminals use various ‘spoofing’ techniques to disguise the email address to make it appear as if it came from an organization executive. The email requests a list of all employees’ W-2 information, including employees’ names, addresses, social security numbers, and wage information.  In reality, though, when the staff member responds with the W-2 information to the email, the scammer is now in possession of the type of sensitive personal information that allows them to commit identity theft.  The scammer may even file fake tax returns to steal the employees’ tax refund money.

If you, or someone you know, receives an unusual email requesting such information, do not respond immediately.  Instead, contact the alleged email sender or company executive by phone or in person to ensure that the request for W-2 information legitimately came from within your organization.

If the request was not legitimate, the scam attempt should be reported to the IRS at [email protected] with ‘W2 Scam’ in the subject line, and reported to the Montana Department of Justice’s Office of Consumer Protection through OCP’s convenient online reporting form here, or by phone at (800) 481-6896 or (406) 444-4500.

Organizations which have their W2 information compromised should report W-2 thefts immediately to the IRS so the agency can take steps to help protect employees from tax-related identity theft.  The next step is to file a complaint with the Federal Bureau of Investigation’s Internet Crime Complaint Center.

Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at http://www.identitytheft.gov/steps or the IRS at www.irs.gov/identitytheft.  Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return rejects because of a duplicate Social Security number or if instructed to do so by the IRS.

For more information about guarding against identity theft and what to do if you think you’re a victim, you can also visit the Montana Department of Revenue’s identity theft website.

NEXT STEPS:  To get updates on the latest scams and identity theft attempts affecting Montanans, sign up for Consumer Alerts from the Office of Consumer Protection.  To report an attempted scam, use OCP’s convenient online reporting form here.  You can also call to speak with an OCP investigator at (800) 481-6896 or (406) 444-4500, visit OCP’s homepage at https://dojmt.gov/consumer/, or call your local law enforcement agency.