According to the IRS, the IRS saw the number of businesses, public schools, universities, tribal governments and nonprofits victimized by W-2 scams increase to 200 in 2017 from 50 in 2016. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen. In some cases, the criminals requested both the W-2 information and a wire transfer. Once the scammers obtain copies of W-2s, they can move quickly to file fraudulent tax returns that could mirror the actual income received by employees – making the fraud more difficult to detect.

The W-2 scams often begin with a “spoofing” email that appears to be sent by a company’s CEO or CFO to one or more employees in human resources or payroll or an executive assistant. Some cybercriminals specifically target these emails at times when the executive may be traveling, the business may be urgently preparing tax statements or other periods when employees are more likely to be caught off guard. Cybercriminals attempt to trick the employees into disclosing employee names, Social Security numbers and income information. The criminals then attempt to file fraudulent tax returns for tax refunds. Here is an example.




Subject:           Treat as Urgent

Date:               February 20, 2018 10:55 AM


Hi, Steve,

I need copies of all employees’ W-2 wage and tax statements for 2017 to complete a business transaction. I need them in PDF format. Please send them as an attachment as soon as you can.




The email appears to be a completely legitimate request from a legitimate email address, but in reality the email is from someone entirely different and has the “REPLY TO” field (which is typically hidden from the end user) set to an email address controlled by the criminal; for example, The email headers would show this. Other variations on the content of the W-2 scam requests can be found in the IRS’ alert on the topic issued Jan. 25, 2017.

We expect W-2 scams to continue to rise because of (1) the success attackers had in the past several years; (2) the increase in activity year over year; (3) the time and effort it takes to send targeted emails to employees across industries, which is significantly less than the effort it takes to infiltrate a network; and (4) the low cost to enter the market as an entry-level criminal conducting W-2 scams. The IRS will likely issue further alerts as the tax season gets underway.

In order to prepare for the upcoming tax season, companies can focus on some of the following best practices:

  • Re-educate all employees about phishing in general and spear phishing in particular.
  • Never take an email from an ostensibly familiar source at face value; for example, an email from the CEO or an HR executive. If it asks you to open a link or an attachment, think twice.
  • If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it’s not a URL you recognize or if it’s an abbreviated URL, don’t open it.
  • Consider a verbal confirmation by phone during tax season if you receive an email requesting copies of W-2s.
  • Be cautious of verification via instant messaging (IM), as an attacker with access to an email account may also have access to IM.

Bottom line, payroll officials should double-check any executive-level or unusual requests for copies of W-2s. You can review a compilation of IRS alerts as well as further information on how to avoid tax fraud in general on the IRS’ website.

2018 BakerHostetler Data Security Incident Response Report

Our annual data security incident response report, which provides an in-depth look at cybersecurity trends, will be released soon. Get your complimentary copy by signing up for our mailing list.