IRS, Security Summit partners warn tax professionals of fake payroll direct deposit and wire transfer emails
December 18, 2018, 11:30 AM
The Internal Revenue Service and its Security Summit partners today warned tax professionals of an uptick in phishing emails targeting them that involve payroll direct deposit and wire transfer scams.
These business email compromise/business email spoofing (BEC/BES) tactics generally target all types of industry and employers. Recently the IRS received a number of reports from tax preparers that they, too, are being targeted.
The IRS and the Summit partners, consisting of state revenue departments and tax community partners, are concerned these scams – as well as the Form W-2 scam -- could increase as the 2019 tax season approaches.
These emails generally impersonate a company employee, often an executive, and are sent to payroll or human resources personnel. The email from the "employee" asks the payroll or human resource staff to change his or her direct deposit for payroll purposes. The "employee" provides a new bank account and routing number, but it is actually controlled by the thief. This scam is usually discovered pretty quickly, but not before the victim has lost one or two payroll deposits.
In another version of the BEC/BES scam, the emails impersonate a company executive and are sent to the company employee responsible for wire transfers. The email requests that a wire transfer be made to a specific account that is controlled by the thief. Companies that fall victim to this scam can lose tens of thousands of dollars.
A common theme in these and many other email scams is that they include grammatical and spelling mistakes.
All businesses should be alert to these BEC/BES scams that take many forms such as fake invoice payments, title escrow payments, wire transfers or other schemes that result in a quick payoff for the thief. Businesses should consider policy changes to guard against such losses.
One version the IRS and Summit partners have highligted in recent years is the W-2 scam. This involves an email impersonating an executive or person in authority, which requests a list of the organization's Forms W-2 covering all of its employees. The purpose of this scam is to allow thieves to quickly file fraudulent tax returns for refunds. All employers, in both the public and private sectors, should be on guard against this and other dangerous scams.
BEC/BES email examples
Here are examples of emails that have been reported by tax professionals to the IRS in recent days. These emails have been edited by the IRS:
Sent: Monday, December 10, 2018 [REMOVED]
Subject: (no subject)
I changed my bank and I will like my paycheck DD details changed. Do you think this change be effective for the next pay date?
Sent from my iPhone
The wire transfer scam is similar:
-------- Original message --------
Date: 12/10/18 [REMOVED]
Subject: ACH Payment Attention
Please confirm the receipt of my message, Authorized can you handle domestic transfer payment now?
Sent from my iPhone
Where to send the BEC/BES emails
General non-tax related BEC/BES email scams should be forwarded to Internal Crime Complaint Center (IC3), which is monitored by the Federal Bureau of Investigation. The public can file a complaint about email scams or other internet-related scams by going to www.ic3.gov.
Tax professionals and others should also report tax-related phishing emails to firstname.lastname@example.org. This account is monitored by IRS cybersecurity professionals. This reporting process also enables the IRS and Security Summit partners to identify trends and issue warnings.
Because of the dangers to tax administration posed by the Form W-2 scam, the IRS set up a reporting process for employers. Employers who fall victim to the W-2 scam should report it at email@example.com. There is a process employers can follow at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers. Employers who receive the W-2 scam email but do not fall victim should forward the email to firstname.lastname@example.org.