During tax season comes warnings from the IRS and many tax agencies for small businesses to be on-guard against a growing wave of identity theft and W-2 scams. Yes, businesses too can fall victim to their identities stolen, and private and sensitive information used to open credit card accounts or used to file fraudulent tax returns for fake tax refunds.
As business owners and employers, we hold sensitive tax data on our employees, such as Form W-2 data, which also is highly valuable to identity thieves and often used to file fake tax returns. Therefore, be vigilant in taking steps to protect your business and your employee’s sensitive data.
Sings of Potential Identity Theft
The IRS urges businesses, partnerships, and estate and trust filers should contact the IRS if they experience any of the following:
- Extension to file requests are rejected because a return with the Employer Identification Number or Social Security Number is already on file.
- An e-filed return is rejected because a duplicate EIN/SSN is already on file with the IRS.
- An unexpected receipt of a tax transcript or IRS notice that doesn’t correspond to anything submitted by the filer.
- Failure to receive expected and routine correspondence from the IRS because the thief has changed the address.
Spotting W-2 SCAMS
Businesses of all sizes & industries are targets of W-2 scams, which in recent years have become one of the more dangerous email scams for tax the administration. W-2 cons and cybercriminals will hack into an executives’ email accounts and send communication from that alias targeting human resources and/or payroll departments. In the email, the criminal will request that the executive send them a file containing the W-2 forms of the staff. They then attempt to file fraudulent tax returns for refunds. Don’t think you would fall for this scam? Last year, more than 200 businesses/organizations fell for the scam. Everyone is susceptible. Today, W-2 cons have evolved beyond the corporate sector to target all types of organizations including universities, charities, and medical companies.
Protect your business: Consider these proactive steps:
- Employers should create an internal policy, if one is lacking, on the distribution of employee W-2 information.
- Conduct regular employee training regarding phishing. During the training, be sure and show employees real phishing examples.
- Require a verbal confirmation before emailing W-2 data. Employers also are urged to educate their payroll or human resources departments about these scams.
- Establish a process for reporting suspicious emails. Don’t click or download anything if unsure of sender or content. Forward the email to the IT department and then delete.
- Exercise restraint when it comes to your company’s social media accounts. Don’t publish information on your website or through social media that could be used against you. Attackers perpetrating CEO fraud schemes have been known to use these channels to find out information about when executives at a targeted organization are traveling or out of the office.
- If your business has fallen victim to a scam, notify employees so they may take steps to protect themselves from identity theft. The Federal Trade Commission’s site, www.identitytheft.gov provides guidance on general steps employees should take. Forward the scam email to email@example.com.