As previously highlighted, in early February, the IRS issued a warning to all employers regarding the resurgence of a W-2 based cyber scam. Since the IRS warning, this type of scam has taken numerous victims. On February 15, 2017, Virginia Wesleyan College released a notice stating that the 2016 W-2 tax form information of its employees had been sent that day to an unauthorized third party as a result of an email scam. The information was sent by an employee who believed a spear-phishing email was a legitimate request for W-2 forms.
Notice to the Office of the Attorney General of a breach of computerized employee payroll data must include the affected employer or payroll service provider’s name, and federal employer identification number. Following receipt of notice, the Office of the Attorney General is then required to notify Virginia’s Department of Taxation of the breach.
This amendment to the Virginia statute becomes effective July 1, 2017, and in light of the growing concern for W-2 phishing scams it would not be surprising if other states follow suit. Employers should advise their staff to exercise caution when responding to requests for W-2 forms and confirm verbally that the request is valid.