The big scam this season is what's known as a Business E-Mail Compromise (BEC) or Business E-mail Spoofing (BES) scam. A BEC scam is a blend of CEO Fraud and W2 phishing. Cyber criminals are utilizing spoofing techniques to disguise themselves as organization executives, often utilizing the victim's exact e-mail address. Next, the scammer sends an email as the "executive" to an employee in the organization's payroll or services department. The message, which is almost always marked urgent, requests a list of all employees and their W2 forms. The employee mistakenly forwards the information, which is then used by scammers to file fraudulent returns (or to sell them).
BEC and BES scams are common, but this year there's a new twist: If the W2 forms have already been sent, the "executive" will send a follow-up email requesting that a wire transfer be made to a certain account. Some companies have lost both their employee's personal information, and thousands of dollars as a result of this scam.
Warning Signs and Preventative Action
It's worth mentioning that if you work in Human Resources, you have to be especially vigilant: you're a scammer's primary target. The most dangerous thing about a well-put together spoofing campaign is its apparent legitimacy. Scammers will utilize the actual email address of an executive, and will do everything they can to mirror an organization’s digital fingerprint, including its e-mail header, font choice, and signature blocks. Scammers may even try to imitate the personality of an executive, with information pulled from Social Media.
Despite all of this, there are still a few key things to look for in order to easily spot a scam:
If you ever receive a request for your personal information or the information of other employees, and the message looks legitimate, the first thing you should do is expand the address field. If there's even the slightest thing off about the sender's e-mail account or domain name, alert the authorities. Be especially wary of e-mails that claim to come from the IRS. The IRS will never initiate taxpayer communication through e-mail.
Additionally, check emails that both request information and discourage contacting the executive for confirmation. And a quick note for employers: One of the best steps you can take towards cyber safety is to empower your employees to confirm the legitimacy of these requests.
If You're a Victim:
If the worst has happened and yourself or someone within your organization has erroneously sent personal information to scammers, there are still steps you can take to ensure the safety of your personal information and tax return.
Contact the IRS immediately. You're not the first person to go through this, and the IRS has identity theft protocol, available here, for both individual and corporate victims of identity theft.
And you can always reach out to us here at Polston Tax Resolution and Accounting. Be sure to browse our services page and fill out the form for a free and confidential consultation. Or give us a call at 884-841-9857. We're open from 8am-5pm Central.