A new type of phishing scam is circulating via email that's targeting schools and universities. The scammers' malicious game is likely to leave their victims beyond confused when they find out scammers did their taxes!
Basically, the scam works like this: Scammers send HR departments emails attempting to get large batches of employee social security numbers alongside corresponding W-2 forms. Once the scammers have those, they go ahead and file a person's tax return in order to steal the tax refund.
Stealing Tax Refunds
Believe it or not, it is a rather common practice for scammers to file fraudulent tax returns. While having a person's real W-2 form is helpful for scammers, it is not even necessary. All that a scammer really needs is an individual's name, social security number, and birth date. They can make up the rest of the numbers.
Individuals may not ever realize that a fake tax return has been filed until after they attempt to file their own actual, real, tax return. Then, the IRS will either reject the return as a duplicate, or notify the individual that a return was already filed, or the individual just won't ever receive their return. Fortunately for victims, when this occurs, the IRS will correct the situation and not penalize the victim. However, there is a very real cost associated with these fraudulent returns, and the cost falls to all taxpayers to cover. These scams result in over $2 billion in annual losses.
Same Wolf, New Sheep
While the fraudulent tax refund scam has been ongoing for years, what's new about this scam is the method of securing victim information. University and business HR and payroll departments have been increasingly targeted recently. The scammers use sophisticated tools to make it appear that their emails originate from a trusted internal source, such as a CFO, with the authority to request and receive sensitive information, and then requests information in a rush.
To avoid falling victim to this scam, individuals in HR and payroll departments should be reminded to never share sensitive financial information via email without verbally confirming first.