Recognizing and preventing W-2 phishing attempts in your organization

January can be a very busy month for many organizations. Whether there is a change in management structure, the implementation of a new system or process, or the arrival of new employees, it’s a period of transition. It’s also when employees anxiously await their Form W-2 from their employer. As Vice President of Payroll Operations at Adams Keegan, a national payroll and HR firm, I know that this is an ideal time to review your organization’s internal processes to prevent it from falling victim to cybersecurity threats.

Along with the Internal Revenue Service (IRS), we at Adams Keegan lead and promote efforts to make employers aware of phishing attempts targeting employee and company confidential information. The most recent phishing attempts involve "spoofing" emails that may appear to be from your company’s CEO or other executive officers. Please exercise extreme caution if you receive a request for W-2 information. We recommend that you reach out to the requesting party, either by phone or in person, to confirm that they sent the email before gathering and releasing any documents. Always use a secure, password-protected delivery method when sending sensitive information.

In addition to Form W-2, there has been an increase in spoofing emails requesting existing direct deposit information or asking to change direct deposit enrollment on an employee’s behalf. These phishing attempts occur throughout the year and can target the same employee multiple times. Stay vigilant and ensure you validate the sender’s email address and confirm the identity of the requesting party before providing any information or making changes to an employee’s record.

If your organization offers an online employee self-service portal, such as Efficenter®, encourage employees to use it. Employees can access electronic copies of their Form W-2 and make updates to their records, including address changes, direct deposit enrollment, or tax withholding certificates. These portals are designed to keep employee information safe and confidential. It's worth taking extra security measures – such as verifications or multi-factor authentication (MFA) – to log into your account, rather than risking an impostor gaining access to sensitive data.

For additional alerts, you can refer to the IRS updates below:

• IR-2016-34: IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s

• IR-2017-10: IRS, States and Tax Industry Renew Alert about Form W-2 Scam Targeting Payroll, Human Resource Departments

• IR-2017-20: Dangerous W-2 Phishing Scam Evolving; Targeting Schools, Restaurants, Hospitals, Tribal Groups and Others

• IR-2017-130: Don't Take the Bait, Step 6: Watch Out for the W-2 Email Scam

• IR-2018-8: IRS, States and Tax Industry Warn Employers to Beware of Form W-2 Scam; Tax Season Could Bring New Surge in Phishing Scheme

If you believe you have been a victim of any W-2 scam or if you receive a phishing email in the future, feel free to reach out to your Payroll Account Manager for guidance on how to report it to the IRS, or visit Report phishing | Internal Revenue Service.