Don’t get hooked by W-2 phishing scams this tax season


Tax season has begun, ushering in a new opportunity for cybercriminals to dupe unsuspecting businesses into voluntarily giving over employee W-2s to be used for fraudulent tax returns. For the 2018 tax year, the IRS reported 649,000 confirmed fraudulent returns attempted to obtain $3.1 billion in refunds. The number of confirmed identity theft returns increased by 9% from 2017, indicating W-2 phishing schemes continue to be successful despite their ubiquity.

These days, phishing attempts are targeted and sophisticated. Gone are the days of the Nigerian prince blasting out generic requests hoping to hit big on a small percentage of victims. In the case of W-2 phishing schemes, attackers first find valuable personal information on a potential target, using either information publicly available from company websites and social media or information gained from a compromise of a company’s system. The attackers then impersonate an appropriate company representative and launch an attempt to get the target to send employee W-2s. They sometimes have enough information to adopt the tone of the person they are impersonating or can use email chains already started between the target and the impersonated representative to add a layer of authenticity to the fraud.

Defending against these attacks requires constant vigilance. Below are six cyber savvy tips on protecting your employees and your business from W-2 phishing scams and the ensuing identity theft, tax fraud, data breach notification obligations, lawsuits, regulatory investigations, and potentially fines and penalties.

  1. Train employees on how to recognize phishing emails – Employees should be trained on common tells to identify phishing emails, including requests that seem out of character from the alleged sender, misspelled personal or company names, email addresses that are off by one or two characters, and generic greetings without the receivers name. Make sure employees know they can hover their cursors over the email address of a sender to see whether it is authentic.
  2. Raise awareness among commonly targeted staff – Although all employees should undergo training, make sure special attention is paid to staff who have access to tax information such as those in accounting, finance and HR. Keep them informed during tax season and throughout the year on the increasing frequency and sophistication of these kinds of phishing attacks. Remind them the IRS does not initiate contact with taxpayers by email, so even emails appearing to be urgent requests from the IRS should be reported. 
  3. Verify requests over the phone or in person – If an employee receives a request for a W-2 or other sensitive information, encourage them to confirm the request is legitimate by calling the person allegedly making the request or, if possible, walking down the hall to talk to them in person. This is especially important because sometimes the email can actually come from within the business and not from an email address easily identifiable as fraudulent (as would be the case in a successful business email compromise).
  4. Update company policy – Limit the number of people in your organization who have access to or handle W-2 forms and requests, and require them to take another step to confirm the legitimacy of a request beyond the email itself before theysend sensitive personal information such as W-2s. Also set limits on the bulk transfer of W-2s or any sensitive employee information.
  5. Report unsuccessful phishing attempts to the IRS – Unsuccessful phishing attempts can be forwarded to and you can also file a complaint with the FBI’s Internet Crime Complaint Center.
  6. Even the best-trained employees make mistakes – If you discover an employee has been successfully phished, do not wait to act. Contact your legal counsel right away to discuss next steps.

Attorneys from McDonald Hopkins’ Data Privacy and Cybersecurity team are available to counsel on responding to any suspected breach and can provide next steps for mitigating the harm that may arise.


Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.