Beware this phishing e-mail tax scam from 'the boss'

W-2 wage and tax statement forms.
Andrew Harrer | Bloomberg | Getty Images
W-2 wage and tax statement forms.

Get an e-mail from a big boss at your company and when she says hop-to-it, well, you make sure you jump on the spot.

We can picture all too well our own version of Miranda in The Devil Wears Prada issuing some detailed demand and crisply concluding: "That's all."

So I guess it should be no surprise that the scammers are now spoofing e-mails pretending to be the CEO or some other top executive at the company and demanding a long list of W-2 files via PDF format. Immediately. As in yesterday. Seriously.

The Internal Revenue Service issued an alert to payroll and human resources professionals warning them to think twice about responding so quickly to the boss.

Watch out for words like: W-2. PDF. Quick Review. ASAP. Updated List. Full Details. Kindly.

More from USA Today:
Don't make these 3 Social Security mistakes
Here's how debt can wreck your retirement
Less means more for Baby Boomers who downsize in retirement

Yes, the crooks use words like "kindly," which might give you reason to wonder if this is really coming from someone at your company. Just saying.

The official IRS alert: "If your CEO appears to be e-mailing you for a list of company employees, check it out before you respond," said IRS Commissioner John Koskinen in statement.

The phishing scheme involving W-2s isn't exactly a new trick. But it can be brand new to someone who never ran into it in the past.

The thing is, we can never, ever forget that fake tax returns are now a huge operation for criminal activity. Tax refund fraud losses are estimated to reach $21 billion by 2016, according to the Treasury Inspector General for Tax Administration, which provides independent oversight of the IRS.

Yes, some stressed-out employees in HR and elsewhere have already been tricked into doing this very dumb thing involving W-2 forms.

Watchdog KrebsOnSecurity reported in February that spoofing e-mails were cropping up this tax season with requests for W-2 form information.

One clue of a fraud: The phishers used someone's GoDaddy e-mail server and the return address was not associated with the company.

The IRS reported that this latest scheme is part of a surge of phishing e-mails seen this year. It has already claimed some victims, the IRS said, as payroll and human resources offices mistakenly e-mail payroll data, including W-2 forms that contain Social Security numbers and other personally identifiable information.

All that information, of course, makes it super easy to create a fake tax return to cook up an over-the-top refund for the crooks.

It's not the CEO that's sending that e-mail; it's a cyber crook.

The Evening Post Industries, which owns The Post and Courier in Charleston, S.C., as well as other properties, told its employees that it was a victim of the e-mail spoofing on Feb. 26.

Yes, someone believed that a fake e-mail actually was from the CEO, who somehow wanted a summary of all 2015 employee W-2 information.

Larry Washburn | Getty Images

"We are working diligently to investigate this occurrence," said John Barnwell, president and CEO of Evening Post Industries in an e-mail response to the Free Press.

"We will provide free credit monitoring and identity restoration services for every employee affected."

Some details that could be in a phishing e-mail, according to the IRS:

  • "Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review."
  • "Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home, Address, Salary)."
  • "I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap."

Adam Levin, chairman and founder of Identity Theft 911 and author of Swiped, said that W-2 information offers key data for sophisticated criminals who are crafting fraudulent tax returns.

"It's a goldmine for the bad guys with taxes," Levin said.

As with other successful phishing attempts, there is a level of plausibility here, too. The top executive might need, maybe, some payroll data at some point. The e-mail could even look authentic and even have the correct name of the company's CEO or executive.

Levin noted that fraudsters use other e-mail attempts too to convince everyday consumers that they might have a refund waiting or need to fix a tax problem.

ShaneKato | Getty Images

I received an e-mail in late February that clearly was a scam involving a "Tax Refund Notification" — reportedly from the Australian Government or My.Gov. "To access your tax refund, please click here." Do not do it.

The IRS noted in one of its alerts this year that the IRS does not initiate contact with taxpayers by e-mail to request personal or financial information. No text messages, no messages sent via Facebook.

Levin said consumers need to remember that some major data breaches — such as those at Anthem, Premera, and Excellus Blue Cross Blue Shield — have put more than 100 million Social Security numbers at risk.

On top of that, people have engaged in so much oversharing in social media that some pieces of information that can be used in hacking, such as someone's high school or maiden name, are put in play as well.

"It's going to continue to grow and grow," Levin warned.