The IRS recently issued an urgent bulletin warning of the dangers of so-called “W-2 phishing” scams. In these cons, fraudsters use phony emails to fool someone in the company into handing over employees’ W-2 records and other personally identifying information and then use the data for all manner of identity theft.

While phishing is as old as the internet, the current wave of W-2 scams—often coupled with an old-school wire transfer scam—has reached an unprecedented level. And the consequences for the thousands of employees whose data has been exposed include lost mortgage opportunities, ruined credit, and a lifetime of administrative headache. Notably, the IRS has been forced to delay issuing tax refunds to millions of taxpayers, including 40 million low-income families for depend heavily on their refund checks, in order to weed out fraudulent returns.

“This is one of the most dangerous email phishing scams we’ve seen in a long time,” IRS Commissioner John Koskinen said in a statement. “It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.”

What is phishing, anyway?

The federal government defines phishing as “a security threat used to deceive an email recipient by posing as a legitimate entity.” Every day, over 150 million phishing emails are sent around the world.

The number of unique phishing scam campaigns has increased tenfold over the past five years. The first three months of 2016 alone saw a frightening jump in the number of unique documented phishing campaigns, from around 99,000 in January of that year to nearly 230,000 that March. In 2016 dozens of high-profile companies were hit.

How do W-2 phishing scams work?

The scams target human resources or other administrative staffers who have access to employees’ personal data. The perpetrators will send an email, made to look like it was sent by the company’s CEO, asking the employee to send over the information.

The scammers will often extensively research their targets on social media before crafting and sending the phishing email for maximum effect. The emails are often very convincing—and people continue to fall for them. Indeed, one study found that more than two-thirds of those surveyed were fooled by a phishing email claiming to be a from a coworker looking to schedule a meeting.

This year the fraudsters are adding a new twist with a follow-up scam, in which they send yet another email—again, supposedly from the CEO—this time to the comptroller or head of payroll, asking that a wire transfer be made to a specified account. This often works, too, resulting in a company being victimized twice.

Who is being targeted by W-2 phishing scammers this time around?

While W-2 phishing scams have become increasingly common, perhaps the most alarming thing about the current wave of W-2 phishing is that it “has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits,” the IRS noted in its warning bulletin.

Last month, solar pioneer Sunrun fell victim to W-2 phishing scammers who pretended to be CEO Lynn  Jurich. The perpetrators made off with forms W-2 for “a substantial portion” of Sunrun’s 4,000 current and former employees. The company realized what had happened within an hour of the scam, is working with authorities, and has offered affected employees two years of identity theft protection.

What are the consequences of phishing to employees?

Identity thieves like those who hit Sunrun gain access to victims’ names, addresses, Social Security numbers, and salary information. This data, often combined with other bits easily obtainable on the web, allows an identity thief to wreak havoc on a victim’s life through a wide range of frauds, including:

• obtaining unemployment benefits in the victim’s name;
• obtaining loans in the victim’s name;
• applying for credit cards or spending money using the victim’s identity;
• filing false tax returns and collecting refundable tax credits in the victim’s name;
• obtaining medical care and leaving the victim with the bill;
• fraudulently obtaining Social Security and other government benefits in the victim’s name; and
• applying for fake birth certificates, driver’s licenses, and other public documents using the victim’s name.

What can employees do if their company has been victimized by a W-2 phishing scam?

Employers have a duty to keep employees’ personally identifying information secure, and that includes W-2 records. Sunrun and many other companies that have fallen prey to W-2 phishing scams often offer employees free credit monitoring for a limited period of time—but once the free period expires (and sometimes even before), compromised employees are left to deal with the fallout on their own.

And free credit monitoring is no help to employees whose identities have already been stolen. When hard drive manufacturer Seagate released over 10,000 records of past and present employees in response to a phishing email last year, the scammers immediately got to work and used the data to file false tax returns and perform other types of identity theft. Seagate’s chief technology officer admitted that the release “was caused by human error and lack of vigilance, and could have been prevented.”

Still, while Seagate offered employees free credit monitoring, the company allegedly did not offer any assistance or compensation to victims whose identities had already been stolen. Last September, some of those victims launched a class-action lawsuit against Seagate to hold it accountable and recover damages and out-of-pocket expenses they suffered as a result of the breach.

“It is critical to act quickly to protect your credit history if your employer has fallen victim to a W-2 phishing scam,” says data breach attorney Eric Grover. “If your W-2 data has been compromised, contact an attorney to see what you can do to protect yourself moving forward.”