W-2 Phishing Scam: What It Is and How To Help Protect Against It

Identity thieves would love to swipe your 2024 tax refund. One way they might try is by tricking your employer with a W-2 phishing scam.

First, a quick definition: A W-2 phishing attack is a cyber tactic that hackers use to probe an organization’s infrastructure by sending an email from what might appear to be a top manager. The hackers might send a fake email from the CEO or CFO, for instance. Their aim is to acquire employees’ sensitive information from W-2s so they can leverage it to commit identity fraud.

How do W-2 phishing scams happen?

Tax season is a prime time for W-2 phishing scams. Here’s how they work in practice.

A fraudster might impersonate the CEO of a company in an email. The email—an “urgent” request—is sent to a staff member with access to employees’ Form W-2s.

The request might ask for employee tax information to be sent back in a single file. The email’s tone may be polite and direct—the fake exec needs the information right away.

For example, they might say something like: “Kindly send me the individual 2024 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”

Eager to please the boss, the employee gathers the tax forms and emails them back.

Mission accomplished—for the identity thief. But it can be bad news for employees who have had personal information handed over to criminals.

Why your Form W-2 needs protection

W-2s are those essential forms you include when you file your taxes. They contain information such as your name, address, Social Security number, income, and tax withholdings.

That’s just about everything a fraudster needs to commit tax-related identity theft. Tax-related identity theft occurs when someone uses your stolen Social Security number to file a tax return claiming a fraudulent refund.

And that might not be the end of it. That same information could be used to open a new credit card or take out a loan in your name.

W-2 phishing schemes have wide reach

W-2 tax scams first surfaced in 2016 and since then fraudsters have taken wide aim, hitting companies, payroll service providers, hospitals, nonprofits, public schools, and universities.

In one incident, a government cybersecurity contractor fell victim to the scam. Fraudsters stole the W-2 data of all employees.

W-2 phishing scams are back for the 2024: According to the CyberRisk Alliance, W-2 frauds already increased by 130% between December 2023 and January 2024. The scams can be sophisticated and convincing. That’s why employers and employees should know how to help protect against them.

5 ways to help protect against W-2 phishing scams

How can you minimize the chance of becoming a victim of a W-2 phishing scam? Company policies play a role. The individual efforts of staffers also play a role. Here are five ways to help protect against W-2 phishing schemes.

1. Raise awareness: Employers should remind staff that it’s high season for W-2 phishing scams. Make sure employees—especially financial staff with access to tax information—know about the threat.
2. Follow company policy: Employers often have policies about what can of information can be sent by email. This usually includes rules regarding sensitive financial information. Sometimes, for instance, top executives are not allowed to make such requests via email.
3. Stay vigilant: If you receive an email asking for sensitive information, do not comply. Such requests might include not only tax information or payroll records, but also account numbers or passwords.
4. Verify the sender: If you receive a request from a company executive, contact the sender by phone to help make sure the request is legitimate. Be careful about sending the information, even if the executive says it’s OK.
5. Flag scam emails: If you receive a W-2 scam email, let your employer know. Also, forward the email to phishing@irs.gov and put “W2 Scam” in the subject line.

Taking protective measures is no guarantee you won’t fall victim to a W-2 phishing scam. So, here’s a bonus tip for this tax season: It’s smart to file your taxes early, before identity thieves do it for you.