Business As We See It October (B) 2017

September 19, 2017

The Ins and Outs of W-2 Phishing Scams

Business As We See It | MBK | OctoberA growing number of businesses have been victimized by W-2 phishing scams. In a traditional phishing scam, a criminal tricks someone into providing confidential information, and then uses it to steal money and/or the victim’s identity. The W-2 phishing scam is a variation on this.

How it Works

In a W-2 phishing scam, cybercriminals send emails to a company’s employees — typically in payroll, benefits or human resources departments — that claim to be from the company’s management. The emails request a list of employees along with their W-2 forms, Social Security numbers or other confidential data.

Here are some examples straight from the IRS:

“Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”

“Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”

If the employee responds, criminals can use this information to file fraudulent tax returns in the employees’ names, seeking refunds.

The scam is particularly nefarious because the employees it targets probably believe that, in complying with the emailed instructions, they’re doing exactly what they’re supposed to. Moreover, at first glance, the emails typically appear legitimate. Many contain the company’s logo and the name of an actual executive, typically gleaned from publicly available information.

The increasing number of such scams prompted the IRS to issue an alert in 2016: “IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s.”

Education is Key

While these scams have become more prevalent, businesses can take steps to reduce their risk. Because the scams target humans, rather than the technology itself, education is key. Inform all employees, and particularly those in areas that handle sensitive data, of the scams. Remind them not to click on links or download attachments from emails that were unsolicited or sent by those they don’t know.

Employees often are nervous about questioning a request that appears to come from upper management, so encourage employees to double-check any request for sensitive information, no matter who appears to be making it. They should do this not by responding to the email in question, but by talking with a trusted supervisor or colleague.

Don’t Fall Victim

Technology has a role to play as well. Install robust antivirus and spam filters and keep them updated. With sensible precautions, businesses can reduce the risk of falling victim to W-2 phishing scams.

© 2017

This material is generic in nature. Before relying on the material in any important matter, users should note date of publication and carefully evaluate its accuracy, currency, completeness, and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances.

Share Post:

Endowment Management 101

By Meyers Brothers Kalicka March 27, 2026
Nonprofit organizations that have an endowment must adhere to certain regulations, including when it comes to spending from investment income. For this reason, many nonprofits opt to have a financial professional manage their endowment investments.

The IRS "Dirty Dozen for 2026"

By Meyers Brothers Kalicka March 25, 2026
Every year, the IRS releases its "Dirty Dozen" list of common scams and schemes that taxpayers should be aware of. As we enter the peak of tax season, make sure you stay alert and aware.

Understanding Board-Designated Net Assets

By Meyers Brothers Kalicka March 23, 2026
Sometimes donors put restrictions on their donated funds, and in other instances, nonprofit boards place limits on certain assets. Board-designated net assets can prove critical to the survival of programs, projects, or an organization itself.
Show More