Keeping your personal information safe can be an important part of preventing identity theft, but sometimes you don't have control of the matter. A data breach could give hackers access to your username, password and other sensitive information. Or, if your employer falls for a W-2 scam, they might send your W-2 to a cybercriminal who will then have your name, address, Social Security number and financial info from the company.
What Are W-2 Scams?
W-2 scams are a type of scam that targets employers rather than individuals. The basic premise is that the scammer tries to get someone with access to employees' W-2s, perhaps someone in the finance or human resources department, to send them copies of every employee's W-2.
If successful, this type of W-2 phishing scam can give the cybercriminals sensitive information that they can then use to file fraudulent tax returns. They may also be able to commit other types of identity fraud and sell the W-2s or info to other criminals on the dark web.
The attack can take different forms. However, according to the IRS, the scam usually starts when cybercriminals "spoof" an email to make it look like they're sending an email from an executive at the company. It's a phishing technique that relies on deception and social engineering to trick the victims.
The email could ask for a list of employees and their W-2s, and there could be a sense of urgency to the request. And because the employee wants to please the higher-up, they might quickly respond and send the criminals the W-2s.
Fraudulent W-2 Scams
In March 2023, the IRS warned of a completely different type of W-2 scam. It's a scheme that's promoted on social media in which people are told to create fraudulent W-2 forms and use them to file false tax returns to get a large refund. Don't fall for it. Filing a fraudulent tax return could lead to thousands of dollars in penalties or criminal charges.
How to Avoid W-2 Scams
Unfortunately, there's not a lot you can do to prevent someone from sharing your W-2 without your permission. However, you can take steps to help everyone at your company stay safe and to protect yourself from tax identity theft.
- Ask about anti-phishing training. If your employer doesn't require cybersecurity training, talk to HR or IT about setting up training programs for everyone. Phishing emails can cost companies lots of money as they can also lead to ransomware and other types of attacks. Security awareness training programs can help employees detect and avoid phishing scams.
- Report suspicious emails. You might be targeted by a phishing scam even if you're not in a position that gives you access to employee records. If you receive a suspicious email, don't click on any links and forward it to your IT department for guidance.
- Call or message the sender. Consider making a quick call or sending a new email or message to confirm requests for W-2s. Although asking a superior for confirmation can be scary, the person will likely be more thankful that you're helping protect the company than disturbed by any potential interruption.
- Share information with coworkers. You can share warnings and informational articles, such as this one, with colleagues to help them learn about scams.
If you're worried that your information may be compromised―from a W-2 scam or other means―you can also take steps to help protect yourself from tax refund theft.
Once you have all the necessary forms, file your tax return early; additional attempts to file a return with your tax identification number will be rejected for being duplicates. You can also sign up for a free tax Identity Protection PIN, which you'll then have to include on your tax return for the IRS to accept the return.
How to Report W-2 Scams
If you think you've received a W-2 scam email and you didn't reply, you can forward the email to the IRS by following the IRS' instructions for saving and sending the email.
You should immediately report the issue to the company when you think you've fallen for a W-2 scam. Additionally, you may want or need to report the loss to law enforcement, state agencies and the IRS.
- The IRS page also has specific instructions for how to report the W-2 scam. If you act quickly, the IRS could potentially help protect employees from identity theft connected to their stolen W-2s.
- The IRS suggests emailing StateAlert@taxadmin.org to get state-specific reporting info.
- You may also want to file a report with local law enforcement and a complaint with the FBI's Internet Crime Complaint Center (IC3).
There could be state and federal laws that dictate how you need to respond to a data breach involving people's personal information. Alert your company's legal department so they can be sure to follow all the requirements.
Monitor Your Credit and Identity
A W-2 scam isn't the only way for your personal information to fall into the hands of criminals. And given how often data breaches happen, there's a chance your personal information is already for sale online.
You can use a free dark web scan to see if your SSN, email or phone number are exposed. Free credit monitoring can also alert you to suspicious changes in your credit report—a sign that someone may be applying for credit in your name. And subscription identity theft protection services like Experian IdentityWorks℠ can offer additional monitoring and identity recovery services.