Income tax identity theft is a multi billion dollar problem that costs the government and, by extension, we the taxpayers billions of dollars each year while tremendously inconveniencing the individual taxpayers whose identities are stolen as it generally takes the IRS months to fully investigate each instance of identity theft and send to the victimized taxpayer his or her legitimately owed tax refund. Armed with a potential victim’s name and Social Security number, it is a simple matter for an income tax identity thief to file a phony return with a counterfeit W-2 to obtain a fraudulent income tax refund.
A year ago, when this scam first surfaced, I first warned you about identity thieves tricking companies into providing employee W-2s to them. These stolen W-2s contain all of the information the identity thieves need to file a fraudulent income tax return. The scam works by sending phishing emails to HR and accounting departments within companies often posing as the CEO of the company or someone else in upper management requesting copies of all employee W-2s under various guises. Other times, payroll management companies have been targeted using the same type of phishing emails. In some instances, the phishing emails have been recognized as scams, but in other instances, companies have unwittingly handed over thousands of W-2s to clever identity thieves.
Now the IRS has issued an urgent alert indicating that the scam has evolved from merely targeting companies to school districts, non-profit organizations, restaurants, temporary staffing agencies and others. In addition, the IRS is saying that the scammers are now combining this scam with the business email scam by which the employees receiving the email asking for W-2s to be sent are also asking the employees to wire money for various purposes. According to IRS Commissioner John Koskinen, “Although not tax related, the wire transfer scam is being coupled with the W-2 scam email, and some companies have lost both employees’ W-2s and thousands of dollars.”
All companies have got to do a better job of training employees to recognize phishing emails and installing anti-phishing software programs. In addition, dual factor authentication should be used before transmitting sensitive data to make sure that the person to whom the material is being sent is really who they represent they are. These same lessons that apply to companies also apply to all of us as individuals, as well. Phishing is done to steal the identities and information of unwary individuals every day and the best way to protect yourself is to start with remembering my motto, “trust me, you can’t trust anyone.” Never provide personal information to anyone who asks for it by phone, text message or email unless you have absolutely confirmed that the request is legitimate and the person or company requesting the information has a legitimate need for the information. Never click on links or download attachments from emails or text messages unless you have confirmed they are legitimate because those links and attachments could contain keystroke logging malware that can steal all of the information from your computer and use it to make you a victim of identity theft. Finally, keep all of your electronic devices including your smartphone up to date with the latest security software patches.