Now that Tax Season 2017 is upon us, it is time once again to remind your HR departments to remain vigilant against the pervasive threat of identity theft and refund fraud arising from the distribution of personal tax information, primarily in the context of socially engineered requests for employee W-2 forms.

In particular, recent tax schemes have begun with a fake phone call or phishing scam targeted at an HR or accounting department with the goal of receiving unauthorized access to an employee’s W-2 information or social security number. Phishing attacks usually involve sending emails that link to a website. After the recipient clicks on the link, the website prompts individuals to enter valuable personal or financial information for a fake purpose. Fraud experts might also disguise their email addresses (e.g., by changing a zero to a capital letter “O”) and pretend they are employees requesting personal information via email.

Once the criminals receive this information, they will submit a fake tax return to the IRS depriving a taxpayer of the opportunity to receive their refund checks. The fraudsters only need a name, date of birth and social security number to file a fake return. They will also ensure the payout is modest, so as to avoid attracting any attention, and will submit a new address at which to receive the funds. In one day, criminals can fill in over 15 returns and can expect their refund checks in about seven days¹. As of March 5, 2016, the IRS reported that it identified 42,148 fraudulent tax returns with $227 million claimed in refunds². Fortunately, the IRS has been cracking down on these schemes and prevented the issuance of $180.6 million (79.6 percent) in fraudulent refund claims in 2016³. However, despite their efforts, the IRS still failed to prevent the payment of almost $50 million in refunds that were fraudulent.

To make matters worse, victims affected by these schemes will not discover that they have been attacked until they submit their own tax returns. At this point, the criminal has probably already received his check and is long gone with the money. While the IRS does keep records of earned wages and income reported by taxpayers’ employers, it does not review these records until several months after it issues the refund checks. As a result, some victims entitled to refunds did not receive their money for almost a year after attempting to file their actual returns.⁴

For the 2017 season, the IRS has added several new features centering on the use of verification codes and the implementation of several dozen new data elements with electronically filed tax returns, all aimed to help ensure the authenticity of tax software users. We have yet to see how effective these new measures will be.⁵

What can your organization do to prepare?

We recommend taking the following steps to help keep your employees’ personal information safe:

1. Training: Conduct annual training with at least your HR and accounting departments to make them aware of the latest schemes. The training should also remind members of these teams to never send social security numbers, W-2s, and other sensitive financial and personal information via email or phone to anyone.

2. W-2 Delivery: Create and implement a secure method for sending annual W-2s to employees. If sending electronically, we recommend distributing the documents through a secure file sharing portal; otherwise you may send them in the mail. Ensure employees are reviewing and updating their addresses periodically, or at least annually.

3. Risk Management: Implement risk management procedures such as requiring HR and accounting teams to forward information about suspicious communications to management and requiring supervisor/management approval before responding to any requests for information via email or phone.

4. Information Sharing: Provide alerts and updates to your departments when potential incidents are discovered. Continue to monitor the IRS website for alerts and distribute these alerts to your team. 

5. Action Plan: Create an action plan detailing your organization’s response in case of an identity theft incident.

Remember, the IRS generally does not initiate contact with taxpayers or their employers by email, text message or other social media to request personal or financial information.

If you do receive an unsolicited email that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System, report it by sending it to phishing@irs.gov.

Any individuals affected by a tax fraud scheme may report the incident to the IRS by following their instructions at https://www.irs.gov/uac/taxpayer-guide-to-identity-theft.