Across the nation, Americans are beginning the annual ritual of preparing their tax returns. And around the world, scammers are beginning their own annual ritual of disrupting lives and ripping off U.S. taxpayers through W-2 scams.

A W-2 is the Internal Revenue Service document U.S. employers provide to each of their employees shortly after the end of each year. It lists an employee’s earnings, tax withholding, Social Security number and address — in other words, everything a scammer needs to file a fraudulent tax return.

Scammers most commonly obtain W-2 forms via email fraud. In a typical attack, the head of human resources receives an email appearing to come from their CEO asking for a copy of the company’s W-2 records. The HR person, seeking to be responsive to the CEO, quickly complies, and soon everyone in the company is a victim of identity theft and likely tax fraud.

Scammers file fake tax returns for real taxpayers, get refunds from the IRS and state tax authorities and disappear with the funds. While the IRS (i.e., the American taxpayer) is ultimately responsible for the loss, clearing things up with the IRS can be difficult, delaying receipt of the annual tax refunds that many depend on to balance their finances.

Increasing Prevalence, Increasing Sophistication

The IRS reported first seeing W-2 phishing scams in 2016. In February 2017, the IRS warned that the scam had “evolved beyond the corporate world and [was] spreading to other sectors, including school districts, tribal organizations and nonprofits.” The IRS recently reported that, over the course of 2017, more than 200 employers were victimized by W-2 scams, compromising the identity of hundreds of thousands of employees. The IRS urged employers to limit the number of employees who have access to W-2 forms and to require additional verification procedures to validate requests before emailing W-2s.

How The Scams Work

W-2 scams are a form of business email compromise (BEC) attacks. BEC emails slip past most of the conventional security technology used to protect organizations because they carry none of the malicious payloads these programs look for such as viruses, malware or suspicious weblinks. Instead, they use identity deception and social engineering to convince recipients to take the desired action.