The Internal Revenue Service has temporarily suspended use of its Identity Protection PIN tool "as part of its ongoing security review," according to a notice issued by the IRS. The IP PIN is supposed to act as an extra layer of security for taxpayers who are at higher risk of becoming the victims of fraud because of personal information leaked in commercial data breaches.

Last year, the IRS shut down an electronic tool for obtaining tax data after a massive fraud operation using stolen Social Security numbers and other data from commercial data breaches managed to extract filing data for hundreds of thousands of taxpayers. This year, the IRS is facing a new wave of fraud, as criminals engage in a phishing campaign to obtain employees' W-2 form data.

On March 1, the IRS issued a warning to human resources departments throughout the US about the wave of phishing attacks—e-mails purportedly from company CEOs directed to payroll or HR employees, usually with text such as:

Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.

Can you send me the updated list of employees with full details (name, Social Security number, date of birth, home address, salary).

I want you to send me the list of W-2 copy of employees' wage and tax statement for 2015. I need them in PDF file type. You can send it as an attachment. Kindly prepare the lists and e-mail them to me asap.

Several companies, including Seagate and Snapchat, have already reported that they've been the victims of these attacks because employees fell for the messages. The exposures have placed thousands of current and former US employees at these companies at risk for potential tax fraud—heightening the need for the protection that the IRS' IP PIN is supposed to provide.

The PIN is generally distributed by mail, but the online IP PIN tool was put in place to help those who had misplaced or forgotten the six-digit PIN issued to them. And for some taxpayers—those whose letter was lost, taxpayers that the IRS "invited" to get IP PINs because of non-tax identity theft issues, and taxpayers in Florida, Georgia, and the District of Columbia participating in an IRS pilot program—the online tool was the only way to get an IP PIN.

However, a recent attack on the IRS.gov website that resulted in the breach of an IRS contractor's system—exposing 101,000 taxpayers' Social Security numbers and other data—prompted an IRS security review. The agency found that the online tool allowing taxpayers to reset their IP PIN wasn't secure enough to ensure the identity of the person doing the resetting. In a statement published on the IRS' site, an agency spokesperson said that the IRS is "looking at further strengthening the security features of the tool."

The IRS issued 2.7 million IP PINs by mail to taxpayers for the 2015 tax filing season and reports that about 130,000 people used the IP PIN online tool to try to retrieve PINs that were lost or forgotten. However, some of those attempts were apparently fraudulent.

The IRS has "put strengthened processes and filters in place for this tax season to review these tax returns," the spokesperson wrote, and those procedures "have helped detect potential identity theft and stopped refund fraud. Through the end of February, the IRS had confirmed and stopped 800 fraudulent returns using an IP PIN."

Taxpayers that have lost their IP PIN will now have to phone the IRS and verify their identity in order to get a new PIN mailed to them. Those that already have an IP PIN should include it on their tax returns.