Tax & Accounting Blog

Is That Really the IRS in Your Inbox?

Blog, Federal Tax, ONESOURCE, Tax Information Reporting July 19, 2017

How to protect your organization and employees from tax-related identity theft

Cyberattacks and breaches are thriving in a data-rich world. According to the Insurance Information Institute, last year saw a record 1,093 breaches with 37 million records exposed, up from 780 breaches in 2015.[1] In 2016 alone, $16 billion was stolen from 15.4 million identity theft victims, according to the 2017 Identity Fraud Study from Javelin Research.[2]

As of late April, there have been 516 breaches and 9.3 million records exposed so far in 2017, not including attacks that go unreported – or undetected. At that rate, which is 35.2 percent higher than last year at the same time, 2017 could be the best year yet for cybercriminals.[3]

Considering how authentic many scams may appear on the surface, it’s not surprising to see how many people and businesses unwittingly and easily fall into the many traps cybercriminals set. Tax-related scams in particular are often difficult to spot.

Common tax-related scams to watch out for

W-2 email scam. Also known as business email compromise (BEC) or business email spoofing (BES), the popular W-2 email scam consists of cybercriminals posing as an executive at an organization emailing employees in payroll or human resources for a list of all employees and their W-2 Forms.

This scam is surprisingly easy to pull off: If cybercriminals send 100 emails to payroll employees and convince only one person to hand over the data, they’ve won. Emails such as these need to be included in your organization’s security awareness training.

Other IRS impersonation email scams. When cybercriminals learn of a new IRS process, they’ll often work to quickly create false IRS websites and IRS impersonation emails related to that process. One recent such scam involved eServices accounts. While there has been plenty of legitimate activity in eServices this year, including the IRS asking organizations to recertify their credentials, it was done through the mail.

The IRS does NOT initiate contact with businesses or taxpayers by email, text message or social media channels to request personal or financial information.

If employees in your organization receive an email that appears to be from the IRS, they should not click on any links within it. Instead, go to the real IRS website at and log in independently to verify the communication.

Be Suspicious of These Subject Lines

Beware of IRS eServices-related scam emails with the following subject lines circulating now:

  • Account Closure!
  • e-Service Account is Blocked
  • Few Hours to Close Your Account
  • Your Account is Closed
  • Your Account is Terminated
  • 24Hrs to Block Your Account

If you or any employees in your organization receive an email regarding your account that appears to be from the IRS, do not click on any links or enter your credentials. Instead, go directly to the IRS website and log in.

How to report a data loss to the IRS

If someone in your organization falls victim to such a scam and, for example, submits a W-2 file to a cybercriminal, you should take action immediately. The IRS may be able to take steps that help protect your employees from tax-related identity theft if notified quickly.

To report a data loss at your organization, email and type “W-2 Data Loss” in the subject line so that your email can be properly routed. Do not attach any employee personally identifiable information (PII) data. In the body of your email, include:

  • Business name
  • Business Employer Identification Number (EIN) associated with the data loss
  • Contact name
  • Contact phone number
  • Summary of how the data loss occurred
  • Volume of employees impacted

How to help your employees

As difficult as it is to tell employees that their data has been compromised, you need to let them know as soon as possible. Not only is it the right thing to do, failure to do so in a timely manner could bring penalties from the IRS and/or regulators.

You can refer employee victims of tax-related identity theft to IRS Pub 5027. Simple, self-explanatory and only one page in length, these instructions explain the steps individual taxpayers should follow, which include filing an identity theft affidavit (Form 14039) with the Federal Trade Commission (FTC) at and informing one of the three major credit bureaus (Equifax, Experian or Transunion).

You should also let your employees know that the IRS may examine their future individual tax returns more closely to make sure the returns are legitimate and not from a fraudster seeking a bogus refund.

Taking action immediately is essential. Cybercriminals who successfully steal W-2 Forms instantly attempt to monetize their theft. Criminals may sell the data on black market websites, use the stolen names and Social Security Numbers to commit crimes or file fraudulent tax returns claiming a refund. A January 2015 report by the U.S. Government Accountability Office noted that while the IRS estimated it was able to prevent $24.2 billion in fraudulent identity theft refunds in 2013, cybercriminals made off with $5.8 billion in IRS refunds from their fraudulent filings.[4]

[1] Identity Theft and Cybercrime. Insurance Information Institute. Available:

[2] 2017 Identity Fraud: Securing the Connected Life. Javelin Research. February 1, 2017. Available:

[3] Identity Theft and Cybercrime. Insurance Information Institute. Available:

[4] Identity Theft and Tax Fraud: Enhanced Authentication Could Combat Refund Fraud, but IRS Lacks an Estimate of Costs, Benefits and Risks. United States Government Accountability Office Report to Congressional Requesters. January 2015. Available: