Beware the W2 Phishing Scam

It’s the most wonderful time of the year! Just kidding, it’s tax season. 

The stress of filing our taxes, combined with the highly sensitive data shared in tax documents create a perfect storm for cybercriminals to take advantage of. For the past several years, thousands of businesses have been hit with phishing scams during tax season - and this year is unlikely to be any different.

What Are W-2 Phishing Scams

A W-2 phishing attack is a cyberattack that hackers use to target an organization by sending an email from what might appear to be a top manager, such as the CEO or CFO. Their goal is to acquire employees’ sensitive information from W-2s so they can use it to commit identity fraud.

A typical W-2 phishing scam plays out something like this:

A cybercriminal impersonates the CEO of your company in an email. The email - often deemed an “urgent” request - is sent to a staff member with access to employees’ Form W-2s, such as an HR representative or accountant.

The request may ask for employee tax information to be sent back in a single file. The email’s tone will likely be polite and direct.

The IRS cites this example: “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”

Because the email is so cleverly disguised as to appear legit, the employee is eager to please their boss and gathers the tax forms and emails them back.

Just like that, the sensitive data included in that tax document, including; social security number, address, full legal name, etc. has been handed over to a malicious actor.

5 Ways to Protect Against W-2 Phishing Scams

Since these hacks are so wide-reaching and potentially damaging; how can you minimize the chance of falling victim? Company policies play a major role. But, the individual actions of employees are also important. Here are five ways to help protect against W-2 phishing schemes.

1. Raise awareness 

Employers should remind staff to be on high alert for W-2 phishing scams during the months of January-April. Ensure employees - especially financial and/or HR staff with access to tax information - know about the threat.

2. Follow company policy

Employers should have policies about what types of information can be sent by email. This usually includes rules regarding sensitive financial information. Many companies require that requests like these be made in person, rather than through email.

3. Remain vigilant

If you receive an email asking for sensitive information, don’t be too eager to please. Always look for signs of phishing attempts, but remain especially alert when the email involves sensitive data.

4. Verify the sender

If you receive a request from a company executive, contact the sender by phone or in person to make sure the request is legitimate. Taking the time to do so is worth the hassle. This applies to any requests for sensitive information - tax time or not.

5. Report phishing attempts

If you believe you have received a W-2 scam email, inform your employer. Also, forward the email to phishing@irs.gov and put “W2 Scam” in the subject line.

A W-2 email phishing scam can have devastating effects on a business and its employees. This year presents increased challenges for employers trying to guard against these scams. Vulnerabilities created by COVID-19 and work-from-home, have made these types of scams more alluring and potentially rewarding for cybercriminals.


Kotman Technology has been delivering comprehensive technology solutions to clients in California and Michigan for nearly two decades. With a customer retention of over 98%, we pride ourselves on being the last technology partner you'll ever need. Contact us today to experience the Kotman Difference.

Previous
Previous

Two-Factor Authentication Isn't as Secure as You Think

Next
Next

Meet Chris Palomares (Video)