Employers, employee benefit plans and their service providers beware! The Internal Revenue Service is warning you to be on the watch for a dangerous email scam currently circulating nationwid that targets targeting employers, including tax exempt entities, universities and schools, government and private-sector businesses.
According to the IRS, the scammer poses as an internal executive requesting employee Forms W-2 and Social Security Number information from company payroll or human resources departments. They may even send an initial “Hi, are you in today” message before the request.
Employers and other businesses who might be targeted by these or other identity theft scams should take steps to ensure that their staff and vendors are appropriately trained to recognize and guard against these activities.
Employers and other parties receiving tax or other sensitive information face legal obligations and liabilities and are a myriad of loss for failing to properly protect the privacy and security of that data.
Additionally, employers, payroll, benefit plans and their service providers that received a suspicious contact like the one reported in the alert should consider reporting the loss and other protective actions. For possible breaches of tax information, the IRS has established a process that employers and payroll service providers can use to quickly report any data losses related to the W-2 scam. See details at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers. If notified in time, the IRS may be able take steps to prevent employees from being victimized by identity thieves filing fraudulent returns in their names. There also is information about how to report receiving the scam email even if you did not fall victim.
Tax professionals who experience a data breach also should quickly report the incident to the IRS by contacting their local stakeholder liaison. See details at Data Theft Information for Tax Professionals.
While employers or other businesses targeted for or victimized by the scams likely will want to report the activity as soon as possible to the IRS, businesses should keep in mind that their responsibilities and liability exposures may not and with making such a report. Federal law imposes specific obligations when personal financial information is breached under a wide range of circumstances. Additionally, most states have identity theft or other laws that require businesses and employers to protect sensitive personal data including payroll information as well as specific reporting requirements when a breach happens. Depending on the nature of the breach and the information compromised employers may have obligations to file reports and take other specific responsive actions. Additionally employers may need to provide notification to liability insurance carriers and other vendors or business partners who may be impacted by the breach or attempted breach.
In order to ensure that all responsibilities are properly recognized and handled, employers are other businesses or plans that may be impacted by a scam or other data breach should contact qualified legal counsel, experience in advising in representing businesses in preventing and responding to these activities, assistance in investigating and documenting their actions in response to the scam or breach,as well as about the advisability of any reporting to federal or state agencies, liability insurers, other business partners and even affected individuals.