According to Tech Republic, around one in five small business owners reported they had a loss of data in the past year. And because of the lack of resources at a smaller company, reports show that a single data hack could cost you anywhere from $82,200 to $256,000.

Scammers are only getting smarter, too.

Don’t take the bait.

Yet another email scam is circulating where cybercriminals use spoofing techniques to disguise an email to make it seem like it’s coming from an organization’s executive. It’s being sent to employees in payroll and human resources departments and requests a list of all employees and their Forms W-2.

The scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).

IRS Commissioner John Koskinen had this to say: “These are incredibly tricky schemes that can be devastating to a tax professional or business. Cybercriminals target people with access to sensitive information, and they cleverly disguise their effort through an official-looking email request.”

According to the IRS, they’ve seen the number of businesses, public schools, universities, tribal governments and nonprofits victimized by this scam increase to 200 from 50 last year.

Forms W-2 obviously have extremely sensitive information about your employees such as their address, Social Security number and income. This information is used to file fraudulent tax returns and can be posted on the Dark Net where criminals would seek to profit from the thefts. 

So, don’t take the bait. This is the title of a new educational series the IRS is holding that’s a part of the ‘protect your clients, protect yourself’ campaign. You can learn more about it here.

That’s not all.

Remember how I mentioned scammers are getting smarter? Here’s yet another example of how cybercriminals are claiming victims.

According to the IRS, this is the time of year that many software providers issue software upgrades when tax professionals are working to meet the Oct. 15 deadline for extension filers.

Scammers are sending emails with a subject line of “Software Support Update” and highlights an “important software system upgrade.” The email thanks recipients for continuing to trust the software provider to serve their tax prep needs. It even mimics the (real) software providers’ email templates.

It prompts you to revalidate your login credentials, but the website link provided is fictitious and will steal your information if you click on it. Learn more about this particular scam by clicking here.

That’s really not all.

Just this week the IRS sent out an urgent alert warning of a new phishing scheme that impersonates the IRS and FBI as part of a ransomware attack to grab computer data.

This email uses IRS and FBI emblems and tries to entice you to select a link to download a fake FBI questionnaire. Instead, the link will download ransomware that prevents you from accessing data stored on your device unless you pay money to the scammer.

To learn more about this scam and to see a screenshot of the phony email, click here.

Here’s what to do.

Keep in mind that the IRS won’t use email, text messages or social media to discuss personal tax issues, such as those involving bills or refunds.

Here are tips on what to do to protect yourself from BEC scams specifically.

  1. Confirm requests for Forms W-2, wire transfers or any sensitive data exchanges verbally. Use previously-known telephone numbers (not ones listed in the email.
  2. Verify requests for location changes in vendor payments and require an additional sign-off by company personnel.
  3. Educate employees – especially those who have access to sensitive data such as Forms W-2.
  4. Consult an IT professional if you don’t have one on staff to help follow these FBI recommended safeguards:               
  • Create intrusion detection system rules that flag emails with extensions similar to company email. Ex. legitimate email of abc_company.com would flag fraudulent email of abc-company.com.
  • Create another email rule to flag communications when the ‘reply’ email address is different from the ‘from’ address.

If a BEC incident does occur, be sure to notify the IRS and file a complaint with the FBI at the Internet Crime Complaint Center. Forward any IRS-themed scams to phishing@irs.gov.

By learning the tactics cybercriminals use and educating your staff, you’ll be well equipped to outsmart scammers and keep your small business safe.