Don’t Take the Bait – Security Risks and Protection Strategies

Week six of the 10-week IRS series “Don’t Take the Bait”, which discusses security risks and protection strategies for tax professionals, addresses a popular W-2 scam. This type of threat is a variety of business email compromise, or BEC, and is currently one of the most dangerous phishing email schemes facing tax professionals. The article offers details on this type of scam and then suggests strategies for managing this type of threat.

The article explains that “a business email compromise occurs when a cybercriminal is able to ‘spoof’ or impersonate a company or organization executive’s email address and target a payroll, financial or human resources employee with a request.” The cybercriminal will use the credibility of the hijacked email address in order to cull private information, such as a list of all employees and their W-2 forms.

The IRS has established an email notification address specifically for the reporting of W-2 thefts: If your business or organization falls victim to such a scam, be sure to report it as soon as possible. If you suspect that you are the target of a BEC but have not yet had any information stolen, forward the suspect email to

In order to protect both your clients and your businesses from BECs, the IRS recommends that tax professionals take the following steps:

  • Confirm requests for sensitive data verbally.
  • Verify payment change requests and require a secondary sign-off for important changes.
  • Educate employees about this type of scam.
  • Follow FBI-recommended safeguards.
  • In the event of a BEC incident, immediately notify both the IRS and the FBI’s Internet Crime Complaint Center (IC3).

For more details, read the article in full at