Risk and Resilience: What the C-Suite Needs to Know about the Latest Tax Fraud Scam

by FEI Daily Staff

The latest tax scam is personal: fraudsters will invoke your name to get the job done. Here’s how it works.


The traditional tax season may be over, but that doesn’t mean it is time for the C-Suite to let its guard down when it comes to tax identity fraud. You may have breathed a sigh of relief if you received a tax refund this year, confident in the knowledge that since you received your refund, your identity hadn’t been stolen and used to commit tax refund fraud. But, what you need to know is that it’s not just you who is the target for fraudsters; now, it’s your organization. In fact, the latest tax scam – phishing for employee W-2 forms – is one that can impact your organization throughout the year.

And, it’s personal. Literally. The fraudsters will invoke your name to get the job done. Here’s how it works:

A fraudster sends an email to someone in your human resources department pretending to be you – a C-Suite executive. In the email, the fraudster asks the junior employee on the other end of the computer screen to send along W-2 information for all employees. The junior employee complies. After all, who is going to question a request from the boss?

Once the junior employee sends along the information, the fraudster has the Personally Identifiable Information (PII) for all your employees. Simply put: the fraudster has stolen the identities of all your employees, and in doing so, has acquired all the necessary data to commit identity-based tax refund fraud, and to do so at scale.


Your organization is at risk of falling victim to this fraud if you are unaware of the crime, who is perpetrating it, what happens to those identities, the scale at which it is perpetrated and the end game.

  • The perpetrators. There are certainly individuals out there who commit identity-based tax refund fraud. But that’s generally not the case with this type of crime. These sophisticated phishing scams are being perpetrated by organized criminal groups – both foreign and domestic, but primarily criminal groups out of Eastern Europe.
  • The identities are sold on the dark web. Identities are a valuable commodity. I’ve seen basic PII (i.e., name, Date of Birth, Social Security number (SSN) and address) sell for as low as $2 on the dark web. But, W-2s contain wage and employer data. Organized criminal groups steal the data and organized criminal groups buy the data. They are more valuable because a stolen W-2 gives a fraudster exactly what they need to file a perfect tax return. All that the fraudster has to do is alter the return to make sure they get a refund and fill in their bank account and routing numbers of choice. It’s the perfect crime.
  • The scale. Tax identity fraud is incredibly popular because it can be perpetrated at scale. These organized criminal groups know they have 44 opportunities to file a perfect tax return, once with the Internal Revenue Service (IRS) and then in the other 43 states (including the District of Columbia) that require taxpayers to file taxes. Consider this: assume that you have 500 employees. If the fraudsters get a $900 tax refund using an employee’s stolen W-2 data from the IRS and the 43 other jurisdictions, they “earn” $39,600. Now, apply that to the other 499 employees. The fraudsters could potentially steal up to $19,760,400.
  • The end game. You have to ask yourself: what do these organized criminal groups plan to do with all this money? The answer is very unsettling. This crime funds even darker crimes, such as drug crime, terrorism and human trafficking.

Now that you understand the risk, it is imperative to educate your organization about the problem.

This is a phishing scam. A data breach. It is a cyberattack aimed at stealing your employees’ PII. As with any cyber threat, assume that you will be attacked. If the data will potentially be shared, have a process in place for doing so. Make sure your employees know exactly who has the authority to request W-2 data, the circumstances under which the data would be requested and how the information should be transmitted. Just as importantly, if the data is not expected to be shared, make that clear, as well.

Unfortunately, some organizations will fall victim to this scam. When that happens, these organizations should immediately contact the IRS and the states in which they do business and where their employees reside. These tax authorities need to know that they must take extra steps to verify and authenticate the identities of your employees’ tax returns. This is where the data sharing comes into play.

The data sharing imperative

The IRS and states collect data on the W-2s and the organized criminal groups steal it. We are living in the age of big data. It isn’t enough for one state or the IRS to know about the stolen W-2s because the fraudsters are targeting multiple jurisdictions. The silo approach won’t work. These organized criminal groups have thought past it. Instead, the IRS and the states must share tax data and intelligence on fraudsters. They must analyze their tax data against big data, such as public records, and link it correctly. If John Doe at 123 Main Street is the same as Jon Doe at 123 Maine Street, advanced, identity-based linking will show that. And, when all taxing authorities share this data, the organized criminal groups will find themselves up against a united front.

Credit monitoring: A note of caution

Organizations that have been defrauded will likely do what so many others have done in the wake of other data breaches: offer free credit monitoring to their employees for a certain period of time. You should do that, but I’d be doing you a disservice if I didn’t tell you the cold, hard truth: credit monitoring is of very limited value to the affected employee because credit monitoring only applies to credit transactions.

The fraudsters may try to use the stolen data to commit as much bank or credit card fraud as they can before the credit monitoring takes effect, or your employees notice they are victims of the fraud – whichever comes first. Keep in mind, there is no credit transaction that occurs with a tax return. Unless the fraudster files with the IRS or in the same state as the employee, the employee will likely never know his/her identity was used to defraud the government.


This W-2 scam has proven lucrative for organized criminal groups, so they aren’t likely to stop perpetrating it any time soon. They will, however, evolve their tactics. Your organization is at risk. Like any cyberattack, you should expect it and prepare for it. Your employees are the front line against this scam. Make sure they are educated about it, recognize it and know what steps to take when it occurs.

Haywood “Woody” Talcove is CEO, LexisNexis Special Services Inc. and CEO, Government, LexisNexis Risk Solutions.