Tax season is always a busy time for scammers trying to gain access to sensitive information, but this year attacks are coming earlier and in greater numbers than usual. The uptick has caused the IRS to release an urgent alert warning employers to be on the lookout for what they’re referring to as “one of the most dangerous email phishing scams we’ve seen in a long time.”

How W-2 Phishing Works

By using email spoofing techniques, criminals are send emails that look as though they are coming directly from a high-level executive in your organization. They send the message to an employee in the payroll department or HR and include a request for a list of the organization’s employees along with their W-2 forms.

These attacks have claimed more than 15,000 victims and cost organizations more than $1 billion over the past three years.

The attacks have already resulted in at least 120,000 employees being exposed to fraudulent tax returns and identity theft. The number is expected to rise dramatically during the current tax season.


Who They are Targeting

Victims range from healthcare providers to utilities companies to restaurants to even a minor league baseball team, underscoring the IRS warning that all employers should be on alert.

That said, school districts and colleges appear to be disproportionately targeted, making up nearly one third of the victim list so far.

So why are victims falling for these scams? These unfortunately aren’t your average spam emails. Attackers are researching their targets to identify top executives and payroll/HR employees by name. By spoofing company email addresses they’re able to make it appear like their messages are an urgent requests coming straight from the top.


How to protect your organization

Step 1: Make employees aware

Share alerts with all relevant employees, specifically those in payroll or HR departments.


Step 2: Implement a policy of confirming sensitive requests

Ideally, you can have systems in place to avoid sending sensitive information like W-2 forms over email altogether. At the very least, though, any request for sensitive information should be confirmed outside of email.


Step 3: Make it more difficult for scammers to guess your company’s email structure

Criminals love finding legitimate business email addresses they can use to make these attacks more realistic.

Have you received a phishing scam email?

The IRS recommends you forward it to and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them are also instructed to file a complaint with the Internet Crime Complaint Center (IC3,) operated by the FBI.

Employees whose W-2 forms have been stolen should review the recommended actions by the Federal Trade Commission at or the IRS at


For the full article: