IRS Outlines Form W-2 Scam Data-Loss Reporting Procedures

Author: Rena Pirsos, XpertHR Legal Editor

April 3, 2017

The IRS has outlined the steps employers should take to help protect employees from tax-related identity theft caused by the recent rash of Form W-2-related scams that may compromise business emails. Because time is of the essence to effectively stop and prevent cybercrimes, employers and payroll service providers are encouraged to quickly utilize these avenues to not only report actual loss of data due to these scams, but also to report the receipt of any suspicious emails.

How to Notify the IRS

To notify the IRS about a Form W-2 data loss and receive a call back from the agency, an employer should promptly send the IRS an email including the following information:

  • Employer's business name;
  • Employer's identification number associated with the data loss;
  • Contact person name and phone number;
  • Summary of how the data loss occurred; and
  • Number of employees impacted.

Note that the IRS never initiates contact with taxpayers by email, text messages or social media to request personal or financial information. Any contact with the IRS would be taxpayer-initiated.

A different email procedure is also provided for employers that received a Form W-2 phishing email but did not fall victim to it, in which the phishing email should be forwarded to the IRS in a specific format that will enable the agency to properly investigate it.

How to Notify State Tax Agencies

Breaches of employees' personal information may also affect their state tax accounts. Employers are advised to email the Federation of Tax Administrators to obtain information on how to report a scam to the states.

Notifying Law Enforcement

Cybercrime should ideally also be reported to the FBI, by filing a complaint with the agency's Internet Crime Complaint Center. The FBI may instruct an employer to file a report with a local law enforcement agency.

Advice for Employees

The IRS explains that cybercriminals usually make immediate attempts to turn the stolen information into cash by filing fake tax returns in the names of the victims. They also sell the data on Internet black market sites to others who make similar attempts, or who use victims' names and social security numbers as part of other crimes. Employers can help educate their employees about identity theft and how to prevent or report it by sharing the following resources with them:

  • The IRS Taxpayer Guide to Identity Theft;
  • IRS Publication 4524, Security Awareness for Taxpayers; and
  • IRS Publication 5027, Identity Theft Information for Taxpayers, which includes information on how to:
    • Contact one of the three credit bureaus to place a "fraud alert" and/or "credit freeze" on their account(s);
    • File a complaint with the Federal Trade Commission (FTC); and
    • Learn how to recover from identity theft.

The FTC also provides guidance for employers that have fallen prey to a cyber scam on how to inform employees about the incident and the additional remedial steps an employer should take.