On March 1, 2016, the Internal Revenue Service (IRS) began alerting employers and their payroll staff about a phishing scheme that cyber-criminals are successfully using to trick payroll and accounting staff to release their employees’ W-2 forms to persons outside the company. In most cases, the outsiders are seeking to “monetize” the data—either by filing false refund claims or by selling to data thereby obtained to other cyber-criminals. The gist of the scam is an incoming e-mail made to appear as if it is coming from a company executive, such as its CEO, CFO or controller. The e-mail politely requests the recipient to send the executive a copy of all employee W-2 forms by electronic means, such as a PDF file. We are already hearing from companies and other organizations whose staff members have been tricked by the data requests. 

If a tax data breach of this type occurs, there are several measures that a company should take immediately. First, contact should be made with the Criminal Investigation Division (CID) of the IRS. Besides working to apprehend the perpetrators, IRS CID is generally able to immediately put the employees’ taxpayer identification numbers (TINs) on a watch list so that fraudulent requests for tax refunds using the employee tax data can be scrutinized and rejected. Second, the company should assist employees with identity theft remediation efforts, including the filing of IRS Form 14039 (Identity Theft Affidavit). Additional measures may also be warranted. 

Even if a tax data breach has not occurred, the IRS Release provides companies with a reminder to review and tighten up internal control procedures, particularly as they pertains to the use and handling of employee tax data and personal information. All companies should have a plan in place to prevent and deal with data breaches of this type.