Tax season is here, which means tax fraud season is here, too. This year, the Internal Revenue Service (IRS) is warning tax practitioners about a new phishing scam targeted at them and reminding all employers about fraudsters’ continued use of a scam to collect Form W-2 from entire companies.

Cybercriminals have traditionally targeted taxpayers, in an attempt to obtain their personal information, through phone or email scams. Perhaps due to advances made in educating the public about identity theft, cybercriminals are now shifting tactics and targeting tax professionals to obtain the same sensitive, personal information.

Here is how the scam targeting tax preparers works: Fraudsters send introductory emails to tax professionals posing as potential clients to gain access to the professionals’ computer systems and collect the personal information of clients. Some emails reported to the IRS include:

  • “Happy new year to you and yours. I want you to help us file our tax returns this year as our previous CPA passed away in October. How much will this cost us? Hope to hear from you soon.”
  • “A friend of mine introduced you to me regarding the job you did for him on his 2017 tax. I tried to reach you by phone earlier today but it was not connecting, attached is my information needed for my tax to be filed. If you need more details please feel free to contact me.”

The email may contain a phishing URL or an attachment containing a phishing URL claiming the individual’s tax data is enclosed. Once the recipient clicks the link, malware is secretly downloaded that allows the cybercriminal to track keystrokes or gain remote access to the recipient’s computer and steal personal information. That information can then be used to file fraudulent tax returns or sold on the Dark Web.

In a twist, a few cases have seen fraudulent returns deposited in taxpayers’ real bank accounts. Then, a person posing as a debt collection agency official contacts the taxpayer, says a refund has been deposited in error, and asks the taxpayer to forward the funds to the caller.

One scam that is not new about which IRS officials are again warning employers is a phishing scam targeting payroll or human resources departments in an attempt to obtain employees’ Forms W-2. This scam first appeared in 2016, and the IRS does not expect it to slow down in 2018, calling it “one of the most dangerous phishing emails in the tax community.”

As we reported last year, here is how the Form W-2 scam works: Cybercriminals pose as an executive in a company in an email to payroll or human resources and request copies of Forms W-2 for all employees. Fraudsters have even used an executive’s signature block in the email to increase legitimacy.

The initial email to the employee may be a simple “Hi, are you working today?” before the fraudster requests employee information. Emails typically include language such as:

  • “Kindly send me the individual 2017 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “I want you to send me the list of W-2 copy of employee’s wage and tax statement for 2017. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

During the last two filing seasons, cybercriminals have targeted at all types of employers, including large and small businesses, public schools and universities, hospitals, tribal governments, and charities, meaning that all employers should take steps to educate their employees and safeguard employees’ personal information. Employers may also want to consider limiting those employees who handle Form W-2 requests and requiring additional verification procedures before emailing Forms.

Regardless of the phishing method, the IRS has recommended a number of basic steps all employers should take—whether it be a small tax preparer or a large business:

  • Educate all employees about phishing emails and train them to not click on pop-ups or suspicious links.
  • Use strong, unique passwords.
  • Never take an email from a familiar source at face value.
  • Consider verbal confirmation by phone with the sender of an email before sending further information or accessing links or attachments.
  • Notify the IRS of all suspicious tax-related phishing emails ([email protected] for all phishing emails, and [email protected] for Form W-2 scam emails).

Additional federal resources:

“Don’t Take the Bait” Security Awareness Campaign

Report Phishing and Online Scams

Tax Scams and Consumer Alerts