W-2 PHISHING: COMPLETE PROTECTION GUIDE FOR BUSINESSES AND EMPLOYEES

By SO Email Security13 min read

A comprehensive guide to W-2 phishing attacks, including how they work, real-world cases, FBI IC3 statistics, detection checklists, prevention steps, and incident response procedures. Backed by data from the FBI, IRS, NIST, and CISA.

w2 phishingbusiness email compromiseBECemail securityphishing preventiontax fraudidentity theftCEO fraudpayroll phishingcybersecurityFBI IC3IRS phishing scamDMARCSPFDKIMemail authenticationsocial engineeringspear phishingtax season scamsemployee data protection

W-2 Phishing: Complete Protection Guide for Businesses and Employees

What is the quick answer on W-2 phishing?

W-2 phishing is a targeted Business Email Compromise (BEC) attack where cybercriminals impersonate a company executive and email HR or payroll staff requesting copies of all employee W-2 tax forms. These forms contain Social Security numbers, wages, and addresses. Attackers use stolen W-2 data to file fraudulent tax returns or sell identities on the dark web. The IRS calls it "one of the most dangerous email phishing scams" in the tax community.

What is W-2 phishing?

W-2 phishing is a specific category of Business Email Compromise in which an attacker impersonates a senior executive, most commonly the CEO, and sends a fraudulent email to an employee in the HR, payroll, or finance department. The email requests copies of employee W-2 tax forms, which contain highly sensitive personally identifiable information (PII) including full legal names, Social Security numbers, home addresses, employer identification numbers, and annual wage data.

The IRS Form W-2 is the single most valuable document for tax-related identity theft. A stolen W-2 gives a criminal everything required to file a complete fraudulent federal tax return and claim a refund in the victim's name. The attack requires no malware, no malicious links, and no technical exploitation. It relies entirely on social engineering and the natural tendency of employees to comply with requests that appear to come from authority figures.

W-2 phishing is classified by the FBI as a subset of Business Email Compromise. The FBI also refers to this attack pattern as Business Email Spoofing (BES) when the attacker forges the sender address rather than compromising the actual executive email account. Both methods produce the same outcome: an employee sends confidential tax records to a criminal believing they are responding to a legitimate internal request.

The IRS maintains a dedicated reporting process for W-2 phishing at dataloss@irs.gov, underscoring the severity and prevalence of this specific attack vector.

Why does W-2 phishing matter?

W-2 phishing matters because a single successful email can expose the identities of every employee in an organization simultaneously. Unlike wire transfer BEC, which steals dollars from the company, W-2 phishing steals identities from employees at scale, creating hundreds or thousands of individual victims from one compromised email exchange.

The FBI IC3 numbers

The scale of the broader threat is staggering. The FBI's Internet Crime Complaint Center (IC3) 2024 Annual Report documents the following:

  • $16.6 billion in total reported cybercrime losses across 859,532 complaints, a 33 percent increase from 2023
  • $2.77 billion in losses from Business Email Compromise alone, the category under which W-2 phishing falls
  • 193,407 complaints for phishing and spoofing, making it the most reported crime type for the year
  • $8.5 billion in cumulative BEC losses reported to IC3 between 2022 and 2024

BEC remained the second-costliest cybercrime category in 2024, behind only investment fraud. The FBI noted that 63 percent of organizations experienced BEC attacks during the year.

Why small businesses face elevated risk

Small and mid-sized businesses are disproportionately targeted. Organizations with fewer than 1,000 employees have a 70 percent weekly probability of receiving at least one BEC attack attempt. The average BEC-related business interruption cost for SMEs is $487,000. Small businesses often lack dedicated IT security staff, formal data handling policies, and advanced email authentication, making them especially vulnerable to impersonation attacks.

The IRS perspective

The IRS has repeatedly classified the W-2 phishing scam as one of the most dangerous email threats in the tax community. During one recent filing season, the IRS reported a 400 percent surge in phishing and malware incidents targeting taxpayers, businesses, and tax professionals. The agency includes email phishing in its annual Dirty Dozen list of tax scams, which it published most recently in February 2025.

W-2 phishing is uniquely harmful because the stolen data has a long shelf life. Unlike a wire transfer that either succeeds or fails in the moment, stolen W-2 data can be used for fraudulent tax filings, synthetic identity creation, credit fraud, and resale on dark web marketplaces for years after the initial breach.

How does a W-2 phishing attack work?

A W-2 phishing attack follows a predictable, multi-stage sequence. Understanding each stage helps organizations identify and interrupt the attack before data leaves the building.

Step 1: Reconnaissance

The attacker researches the target organization using publicly available sources. LinkedIn profiles reveal the CEO's name, the head of HR, payroll staff, and organizational structure. The company website provides executive names and titles. Press releases and social media posts may reveal travel schedules, company events, or new hires. The attacker uses this information to craft a convincing impersonation and to time the attack for maximum effectiveness, often striking when the CEO is traveling or out of office.

Step 2: Infrastructure setup

The attacker prepares their email infrastructure. This may involve registering a look-alike domain (for example, company.co instead of company.com, or conpany.com with a transposed letter), configuring a spoofed sender address, or in more sophisticated cases, compromising the executive's actual email account through a prior credential phishing attack. Organizations that have not implemented SPF, DKIM, and DMARC email authentication are particularly vulnerable to domain spoofing.

Step 3: Initial contact

The first email is typically brief, casual, and designed to confirm the target is available. The IRS notes that these emails commonly begin with a simple message like "Hi, are you working today?" or "Are you at your desk? I need something handled quickly." This short exchange establishes rapport and confirms the target is responsive before the attacker makes the sensitive request.

Step 4: The W-2 request

Once the target replies, the attacker sends the core request. A typical message reads: "I need you to send me copies of all 2024 employee W-2 forms in PDF format by end of day. Please treat this as confidential." The email leverages urgency, authority, and confidentiality to discourage the employee from questioning the request, consulting a colleague, or following standard verification procedures.

Step 5: Data exfiltration

When the employee complies, the attacker receives W-2 data for the entire organization. This data is immediately actionable. Attackers can file fraudulent tax returns with the IRS within hours of receiving the data. The stolen information is also sold on dark web marketplaces, where a complete W-2 record commands higher prices than credit card numbers because of its broader utility for identity fraud.

Step 6: Secondary attack

The IRS has documented a pattern in which W-2 phishers follow the data theft with a second request. Having already established trust with the target employee, the attacker sends an additional email requesting a wire transfer to a specified bank account. This combination of identity theft and direct financial fraud compounds the damage from a single successful impersonation.

Step 7: Delayed discovery

Because the attack involves an employee performing what they believe is a routine business task, organizations may not realize they have been compromised for days, weeks, or even months. The breach is often discovered only when employees report that their tax returns have been rejected by the IRS because a return has already been filed in their name.

What are real-world examples of W-2 phishing attacks?

Snapchat (February 2016)

In one of the most widely reported W-2 phishing incidents, an attacker impersonated Snapchat CEO Evan Spiegel via email and requested payroll data from an HR employee. The employee complied, sending W-2 information for current and former employees including names, Social Security numbers, and compensation data. Snapchat detected the breach approximately four hours after it occurred, reported the incident to the FBI, and offered affected employees two years of free identity theft monitoring. In a public statement, the company acknowledged the breach with "real remorse and embarrassment."

Seagate technology (March 2016)

Days after the Snapchat disclosure, data storage manufacturer Seagate Technology revealed an identical attack. An employee sent 2015 W-2 data for all current and former U.S.-based employees to an unauthorized party who had spoofed an internal executive email. Seagate's CFO Dave Morton wrote in an internal email to employees: "This mistake was caused by human error and lack of vigilance, and could have been prevented." The breach affected several thousand employees.

Broader pattern

These were not isolated events. Stu Sjouwerman, CEO of security awareness training firm KnowBe4, reported at the time that hundreds of companies appeared to have been targeted by the same W-2 phishing campaign. The IRS subsequently issued an urgent alert warning that W-2 phishers were striking a far broader range of organizations than previously observed, including school districts, healthcare organizations, chain restaurants, temporary staffing agencies, tribal organizations, and nonprofits. No industry or organization size was immune.

The IRS has noted that W-2 phishing scams have continued every tax season since these initial high-profile cases, with attackers refining their techniques each year. By 2025, the IRS Dirty Dozen list continued to highlight both email phishing and spear phishing as top threats, with specific warnings about the "new client" scam targeting tax professionals.

How do you detect a W-2 phishing email?

Use the following checklist to evaluate any email requesting W-2 or employee tax data. A single red flag warrants verification through a secondary channel before any data is released.

Sender verification

  • Does the sender's email address exactly match the executive's known address? Check character by character. Look for domain variations (.co vs .com, .net vs .org), transposed letters (conpany vs company), extra characters (companyy.com), or the use of a free webmail service (gmail.com, outlook.com). FBI data indicates that 73 percent of BEC attacks originate from free webmail accounts.

Request pattern analysis

  • Is this the normal channel and process for requesting W-2 data? Legitimate executives rarely email payroll departments asking for bulk employee tax documents. If no prior precedent exists for this type of request, treat it as suspicious regardless of who appears to have sent it.
  • Does the request ask for data on all employees? A request for the entire organization's W-2 data, rather than a single individual record, is a strong indicator of a phishing attack.

Urgency and confidentiality signals

  • Does the email create artificial time pressure? Phrases like "I need this before end of day," "please handle this immediately," or "this is time-sensitive" are hallmarks of BEC attacks.
  • Does the email request secrecy? Instructions like "please keep this confidential" or "don't discuss this with anyone else" are designed to prevent the employee from verifying the request through normal channels.

Communication pattern

  • Did the exchange begin with a brief, casual opener? The two-step approach of a short "are you available?" message followed by the sensitive data request is a documented W-2 phishing pattern identified by the IRS.
  • Does the reply-to address differ from the display name? This mismatch is a common technical indicator of email spoofing.

Technical indicators

  • Does the email carry an external sender warning banner? If your organization tags messages from outside the network, an external tag on what appears to be an internal executive email is a definitive red flag.
  • Did the email bypass your organization's normal email routing? Check the email headers for anomalies in the sending infrastructure.

Timing

  • Is the request arriving during January through April? W-2 phishing attacks peak during tax filing season, though they can occur year-round. Heightened vigilance during this period is essential.

How can organizations prevent W-2 phishing attacks?

Prevention requires layered defenses that combine policy controls, technical safeguards, and human awareness. No single measure is sufficient on its own. The most effective defense integrates all three layers.

Policy and process controls

Establish a formal W-2 data handling protocol. Create a written, organization-wide policy that W-2 data is never transmitted via email under any circumstances, regardless of who requests it. Document this policy and distribute it to all HR, payroll, and finance personnel. Review and reaffirm the policy annually before tax filing season begins.

Require out-of-band verification for all sensitive data requests. Any request for bulk employee data, regardless of the apparent sender, must be verified through a separate communication channel. This means a phone call to a known number, an in-person confirmation, or a verification through an established secure internal system. Email replies to the original request do not constitute valid verification.

Implement dual authorization. Require at least two authorized individuals to approve any release of bulk employee PII. This eliminates the single point of failure that attackers exploit and introduces a second person who can recognize the social engineering attempt.

Restrict data access. Limit the number of employees who have the technical ability to access and export W-2 files. The fewer people with access, the smaller the attack surface. Apply the principle of least privilege to all payroll and HR systems.

Technical defenses

Deploy SPF, DKIM, and DMARC. These three email authentication protocols are the foundation of domain spoofing prevention. Sender Policy Framework (SPF) specifies which mail servers are authorized to send email on behalf of your domain. DomainKeys Identified Mail (DKIM) cryptographically signs outgoing messages to verify integrity. Domain-based Message Authentication, Reporting and Conformance (DMARC) ties SPF and DKIM together and instructs receiving servers on how to handle messages that fail authentication. NIST Special Publication 800-177 Rev. 1 (Trustworthy Email) recommends all three protocols for enterprise email security. CISA specifically recommends DMARC enforcement for preventing phishing emails from reaching end users.

Enable external email tagging. Configure your email system to display a prominent visual banner on all messages originating from outside the organization. This simple control alerts employees when a message that appears to be from an internal executive actually originated from an external source.

Deploy advanced email security tools. Use email security solutions that analyze sender behavior patterns, detect display name spoofing, identify look-alike domains, scan for BEC indicators, and flag anomalous requests for sensitive data. AI-powered email security platforms can detect subtle impersonation signals that rule-based filters miss.

Enforce multi-factor authentication (MFA) on all email accounts. Protect executive, HR, and payroll email accounts with MFA to prevent account compromise. CISA references a Google study finding that MFA blocks 100 percent of automated bots, 96 percent of bulk phishing attacks, and 76 percent of targeted attacks. NIST SP 800-63B provides detailed guidance on phishing-resistant authentication methods.

Disable auto-forwarding to external domains. Prevent attackers who do compromise an account from silently forwarding copies of all incoming mail to an external address.

Employee training

Conduct regular, role-specific security awareness training. Train HR, payroll, and finance employees specifically on W-2 phishing scenarios using real-world examples. Generic annual cybersecurity training is insufficient. Role-specific training that addresses the exact attack patterns these employees face produces measurably better results. Organizations that implement security awareness training reduce phishing susceptibility by over 40 percent within 90 days.

Run simulated W-2 phishing exercises. Test employees with realistic simulation emails that mimic actual W-2 phishing tactics, including the two-step casual opener followed by the data request. Provide immediate, constructive coaching for employees who engage with the simulation. CISA assessment data shows that 84 percent of employees who fall for phishing do so within the first 10 minutes of receiving the email, reinforcing the importance of instinctive recognition over deliberate analysis.

Build a reporting culture. Make it easy and psychologically safe for employees to report suspicious emails without fear of punishment or embarrassment. Speed of reporting is critical. The IRS has stated that it may be able to take protective steps for affected employees if notified quickly after a W-2 data loss.

What should you do if your organization falls victim to W-2 phishing?

If your organization has sent W-2 data to an unauthorized party, the following incident response steps should be executed immediately. Speed directly affects the extent of downstream harm.

Immediate actions (first 24 hours)

Notify the IRS. Email dataloss@irs.gov with "W2 Data Loss" in the subject line. Include your organization's contact information so the IRS can respond. Do not attach any employee personally identifiable information to this email. The IRS uses this notification to flag affected Social Security numbers and watch for fraudulent returns.

Forward the phishing email to the IRS. Send the original phishing email to phishing@irs.gov with "W2 Scam" in the subject line. Save the email as a file and send it as an attachment to preserve the email headers, which the IRS needs for its investigation.

File a complaint with the FBI's IC3. Report the incident at ic3.gov. Federal investigators use IC3 complaints to identify patterns, track threat actors, and coordinate law enforcement responses.

File a report with local law enforcement. Establish an official record of the incident with your local police department.

Employee notification (within 48 hours)

Notify all affected employees in writing. Be transparent about what happened, what data was exposed, and what specific steps employees should take to protect themselves.

Provide employees with actionable guidance. Instruct affected employees to file IRS Form 14039 (Identity Theft Affidavit), request an IRS Identity Protection PIN through the IRS Get My IP PIN tool, place fraud alerts on their credit files with the three major credit bureaus (Equifax, Experian, TransUnion), and monitor their credit reports and tax transcripts for unauthorized activity.

Offer identity theft monitoring. Provide affected employees with credit monitoring and identity theft protection services at the organization's expense for a minimum of two years.

Organizational response (First 30 Days)

Conduct a post-incident review. Determine exactly how the attack succeeded. Identify which controls failed or were absent. Document the full timeline from initial email to discovery.

Implement corrective controls. Based on the post-incident review, deploy the policy, technical, and training improvements outlined in the prevention section of this guide.

Engage legal counsel. Consult with attorneys experienced in data breach response to understand notification obligations under applicable state and federal laws. Most U.S. states have mandatory breach notification statutes that apply to PII exposures of this type.

Notify your cyber insurance carrier. If your organization carries cyber liability insurance, notify your carrier immediately. Many policies provide coverage for breach response costs, including credit monitoring, forensic investigation, and legal fees.

Frequently Asked Questions About W-2 Phishing

What makes W-2 phishing different from regular phishing?

Regular phishing campaigns cast a wide net with generic messages sent to thousands of recipients, typically seeking credentials or delivering malware through malicious links. W-2 phishing is a highly targeted spear phishing attack directed at specific employees in HR or payroll, impersonating a known executive within the same organization, and requesting specific sensitive documents rather than clicking a link. The email often contains no links, no attachments, and no malware, which allows it to bypass traditional email security filters that scan for technical threat indicators.

When is W-2 phishing season?

W-2 phishing attacks peak between January and April, coinciding with the U.S. tax filing season. Employers issue W-2 forms to employees by January 31 each year, making February and March the highest-risk period because the request for W-2 data appears contextually normal during this window. However, the IRS has documented attacks occurring throughout the year, and organizations should maintain vigilance regardless of the calendar.

Can email authentication (DMARC) stop W-2 phishing?

DMARC, when deployed at enforcement level (p=reject), prevents attackers from sending emails that spoof your exact domain. This eliminates the most common W-2 phishing vector, which relies on domain spoofing to make the email appear to originate from the CEO's actual email address. However, DMARC does not protect against look-alike domains (e.g., company.co vs company.com), display name spoofing on free webmail accounts, or attacks launched from a compromised legitimate account. DMARC is a necessary but not sufficient defense. NIST SP 800-177 Rev. 1 recommends SPF, DKIM, and DMARC as foundational email authentication technologies.

What should an employee do if they already sent W-2 data?

If you have already sent W-2 data in response to a suspected phishing email, notify your IT security team and management immediately. Do not delete the phishing email, as it contains header data needed for the investigation. Your organization should then follow the incident response procedures described in this guide, beginning with notification to the IRS at dataloss@irs.gov and filing a report with the FBI's IC3 at ic3.gov. Time is critical because the IRS may be able to flag affected records before fraudulent returns are filed.

Are small businesses targeted by W-2 phishing?

Yes. Small businesses are frequently targeted and are often more vulnerable than large enterprises. The IRS has specifically warned that W-2 phishing campaigns target a broad range of organizations including small businesses, nonprofits, school districts, and tribal organizations. Small businesses typically lack dedicated cybersecurity staff, formal data handling procedures, and advanced email authentication, making them easier targets. Data from 2024 indicates that organizations with fewer than 1,000 employees face a 70 percent weekly probability of receiving at least one BEC attack attempt, and the average BEC-related business interruption cost for SMEs is $487,000.

What is the executive summary of W-2 phishing protection?

TL;DR: W-2 phishing is a Business Email Compromise attack in which cybercriminals impersonate executives and request employee tax forms from HR or payroll staff. The FBI's IC3 reported $2.77 billion in BEC losses and $16.6 billion in total cybercrime losses in 2024. Major companies including Snapchat and Seagate have lost thousands of employee records to this exact attack. The IRS classifies it as one of the most dangerous phishing scams in the tax community.

Prevention requires three layers:

  1. Policy: Never transmit W-2 data via email. Require out-of-band verification and dual authorization for all sensitive data requests.
  2. Technical: Deploy SPF, DKIM, and DMARC email authentication. Enable external email tagging. Enforce multi-factor authentication. Use AI-powered email security tools.
  3. Human: Conduct role-specific training for HR and payroll staff. Run simulated phishing exercises. Build a no-blame reporting culture.

If compromised: Email dataloss@irs.gov immediately. Report to the FBI's IC3 at ic3.gov. Notify affected employees and provide identity theft monitoring. File IRS Form 14039 for each affected individual.

Sources and references

  • FBI Internet Crime Complaint Center (IC3) 2024 Annual Report (ic3.gov)
  • IRS: Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers (irs.gov)
  • IRS: Dirty Dozen Tax Scams for 2025 (irs.gov)
  • IRS: Report Phishing and Online Scams (irs.gov)
  • NIST Special Publication 800-177 Rev. 1: Trustworthy Email (csrc.nist.gov)
  • NIST Phishing Guidance for Small Business (nist.gov)
  • CISA: Counter-Phishing Recommendations for Federal Agencies (cisa.gov)
  • NIST Special Publication 800-63B: Digital Identity Guidelines (pages.nist.gov)
  • KrebsOnSecurity: IRS Scam Blends CEO Fraud, W-2 Phishing (krebsonsecurity.com)
  • KrebsOnSecurity: Seagate Phish Exposes All Employee W-2s (krebsonsecurity.com)

SO Email Security is an AI-powered email protection platform that helps freelancers, nonprofits, and small businesses detect and block phishing, BEC, and spoofing attacks before they reach the inbox.