W-2 Scams Set Their Sights on Higher Education


In February, the IRS issued an urgent alert about a W-2 scam that made its way from corporate America to nonprofits, local school districts and higher education. The latest W-2 scam, a new kind of Business Email Compromise attack, has two phases.

First, a hacker pretending to be a president or high-ranking official at a college or university sends a phishing email to the school’s payroll or human resources department, requesting W-2 forms for all employees. Obviously, a W-2 is the holy grail of sensitive data for an individual. This allows the hacker to collect the victim’s tax refund by filing a fraudulent tax return.

In phase two of the attack, employees receive another email request to wire funds to the hacker’s bank account to cover payroll and other bills. This is part of the growing scourge of wire transfer fraud, which cost victims $3.1 billion between October 2013 and May 2016 according to FBI data.

On March 14, CSO revealed that W-2 scams involving 110 organizations – including a number of colleges and universities – had been reported thus far. The most successful hackers were to obtain W2s for all employees of the victim organizations and steal thousands of dollars. The data of more than 120,000 taxpayers was compromised.

Other popular phishing scams reported by the IRS in recent months include:

  • Requests for tax professionals who use IRS services to update their accounts on a bogus website.
  • Phony tax bills related to the Affordable Care Act.
  • Requests to verify Social Security numbers or financial account information, which the hacker claims are required to process a tax return or determine if the recipient was a victim of tax fraud.

Phishing scams increased by a whopping 400 percent in 2016, according to the IRS. In fact, phishing tops the IRS’s latest Dirty Dozen list of tax scams for the 2017 filing season, ahead of phone scams, identity theft, return preparer fraud, and fake charities. The IRS lists schools as one of the primary targets for phishing scams.

Awareness and education are key to avoiding W-2 scams and other phishing attacks. When the IRS issues a warning such as the W-2 scam alert, notify your school’s accounting and human resources departments and any other personnel who might be targeted. Make sure staff and students know how the IRS contacts people. In most cases, the IRS will send a letter in the mail. In rare cases, they’ll communicate via email. The IRS never initiates contact via text, instant message or social media, and they never issue threats, demand wire transfers or request personally identifiable information by email. If you receive a suspicious email, check the sender’s address to see if it seems fake. If you’re not sure, don’t click any links or open attachments.

Report suspicious emails to your IT department for investigation and forward emails to phishing@irs.gov with “W2 Scam” in the subject line. Incident reports have led to many arrests, so don’t assume you’re powerless if you’ve been victimized by a phishing scam. If you’ve suffered financial losses because of an IRS-related incident, report it to the Treasury Inspector General Administration and file a complaint with the Federal Trade Commission’s Complaint Assistant.

Remember, hackers don’t have an offseason. IRS scams don’t stop after April 15. Train your staff to keep their guard up and watch for phishing and social engineering scams throughout the year.