How to protect your clients from BEC scams

Your Guide to State, Local, Federal, Estate + International Taxation

BEC scams, BEC, tax, fraudThe IRS continues to warn tax professionals and businesses about BEC scams. A BEC, or business email compromise scam, occurs when a hacker impersonates a company or organization executive’s email address and then targets an internal employee with a request for a wire transfer or a list of employees and their W-2s.

In IR-2017-130 the IRS includes information about what a business should do if victimized by a BEC scam or see our blog What’s a BEC? IRS warns businesses about continued W-2 email scams.

How can tax professionals help?

As the holding place of confidential client information, tax professionals need to protect their own systems from BEC scams and educate their clients about the existence of BEC scams. The IRS makes the following suggestions:

  • Confirm requests for Forms W-2, wire transfers or any sensitive data exchanges verbally, using previously-known telephone numbers, not telephone numbers listed in the email.
  • Verify requests for location changes in vendor payments and require a secondary sign-off by company personnel.
  • Educate employees about this scam, particularly those with access to sensitive data such as W-2s or with authorization to make wire transfers.
  • Consult with an IT professional and follow these FBI recommended safeguards:
    • Create intrusion detection system rules that flag e-mails with extensions that are similar to company email. For example, legitimate e-mail of would flag fraudulent email of
    • Create an email rule to flag email communications where the “reply” email address is different from the “from” email address shown.
    • Color code virtual correspondence so emails from employee/internal accounts are one color and emails from non-employee/external accounts are another.

If a BEC incident occurs, notify the IRS at a special email notification address specifically for businesses and organizations to report W-2 thefts: and file a complaint with the FBI at the Internet Crime Complaint Center (IC3).

Think (and confirm) before you click.

Melinda Nelson, CPA