W-2 PHISHING: THE SCAM TARGETING HR

By SO Email Security8 min read

Learn how W-2 phishing attacks target HR and payroll departments to steal employee tax data. Includes detection checklist, prevention steps, and IRS reporting procedures.

W-2 phishingHR securitypayroll scamBEC attacktax fraudemployee data theftspear phishingcybersecurity

W-2 Phishing: The Scam Targeting HR

Direct answer

W-2 phishing is a targeted email attack where criminals impersonate executives to trick HR or payroll staff into sending employee W-2 forms. These forms contain Social Security numbers, salaries, and addresses, enabling large-scale identity theft and tax fraud. If your organization receives a suspicious W-2 request, do not respond. Report it immediately to phishing@irs.gov with "W-2 scam" in the subject line.

What Is W-2 phishing?

W-2 phishing is a form of business email compromise (BEC) that specifically targets human resources and payroll departments during tax season. Attackers impersonate company executives, typically the CEO or CFO, and send urgent email requests for employee W-2 data or wage summaries.

Unlike mass phishing campaigns, W-2 attacks are highly targeted. Criminals research organizational structures, identify HR personnel by name, and craft personalized messages that appear to come from legitimate leadership.

The stolen data is extraordinarily valuable. A single W-2 form contains:

  • Full legal name
  • Social Security number
  • Home address
  • Annual wages and salary
  • Federal and state tax withholding amounts
  • Employer identification number (EIN)

One successful W-2 phishing attack can compromise the personal data of an organization's entire workforce in a single email exchange.

The IRS classifies W-2 phishing as one of the most dangerous email scams affecting businesses. The agency has issued multiple alerts warning employers about these attacks, which surge between January and April each year.

Why does W-2 phishing matter?

The Scale of Business Email Compromise

W-2 phishing falls under the broader category of business email compromise. According to the FBI Internet Crime Complaint Center (IC3) 2024 Annual Report, BEC attacks caused $2.77 billion in reported losses in 2024 alone.

BEC remains the second most costly form of cybercrime in the United States, trailing only investment fraud. The average loss per BEC incident significantly exceeds other attack types because these scams target organizations rather than individuals.

The multiplier effect

W-2 attacks create exponential damage. A single compromised HR employee can inadvertently expose hundreds or thousands of workers to identity theft. The IRS has documented cases where:

  • School districts lost W-2 data for thousands of teachers and staff
  • Healthcare systems exposed patient-facing employees to fraud
  • Manufacturing companies compromised entire factory workforces

Each stolen W-2 enables criminals to file fraudulent tax returns, claim false refunds, open credit accounts, and commit long-term identity theft against every affected employee.

Timing and vulnerability

These attacks peak during tax season when W-2 requests appear routine. HR departments process hundreds of legitimate tax document requests between January and April, making fraudulent requests harder to identify.

The IRS warns that W-2 phishing attacks have affected employers of all sizes and types, including businesses, nonprofits, schools, hospitals, tribal organizations, and government agencies.

How does a W-2 phishing attack work?

Step 1: Target research

Attackers identify target organizations and gather intelligence. They use:

  • LinkedIn to map organizational hierarchies
  • Company websites to identify executives and HR personnel
  • Press releases and news articles for executive names
  • Social media for communication patterns and writing styles

Criminals specifically look for HR managers, payroll administrators, and accounting staff who have access to tax documents.

Step 2: Domain spoofing or compromise

Attackers either:

  • Spoof the executive's email: Create a lookalike address (e.g., ceo@company-inc.com instead of ceo@company.com)
  • Compromise a real account: Gain access to the actual executive's email through separate phishing or credential theft
  • Use display name deception: Set the sender name as "John Smith, CEO" while using an unrelated email address

Account compromise is most dangerous because replies go directly to the attacker through legitimate infrastructure.

Step 3: The initial request

The attacker sends an email to HR or payroll, typically with characteristics like:

  • Sent early morning, late evening, or during travel (explaining unavailability)
  • Brief, urgent tone matching executive communication style
  • Request framed as routine or time-sensitive
  • Instructions to reply directly rather than through normal channels

Example message:

"I need you to send me copies of all employee W-2s for 2025. Please send as PDF. I'm in meetings all day so just reply to this email. Thanks."

Step 4: Data extraction

If the HR employee complies, they send W-2 forms containing complete personal and financial data for every employee. The attacker now possesses everything needed to:

  • File fraudulent tax returns for each employee
  • Claim refunds before legitimate returns are filed
  • Sell data to other criminals
  • Commit ongoing identity theft

Step 5: Secondary attacks

With the employer's EIN and employee data, criminals can:

  • Create convincing follow-up scams targeting individual employees
  • Attempt wire transfer fraud using established trust
  • File fraudulent business tax documents
  • Launch additional BEC attacks against partners or vendors

Real Case: Seagate Technology data breach

In March 2016, a W-2 phishing attack compromised the personal data of approximately 10,000 current and former Seagate employees.

According to reports and subsequent legal filings:

  1. An attacker sent an email to Seagate's HR department impersonating a company executive
  2. The email requested 2015 W-2 information for all U.S.-based employees
  3. An HR employee complied, sending W-2 data for roughly 10,000 workers
  4. Seagate discovered the breach when employees reported fraudulent tax returns filed in their names

The incident demonstrated how even large technology companies with security resources remain vulnerable to social engineering. The breach exposed names, Social Security numbers, addresses, and salary information for thousands of workers.

Seagate subsequently faced a class-action lawsuit from affected employees. The company offered credit monitoring services, but many employees reported tax fraud occurring before protective measures could be implemented.

The IRS noted this case as an example of why all employers must implement verification procedures for W-2 requests, regardless of organization size or industry.

How can you detect W-2 phishing attempts?

Use this checklist to evaluate any email requesting employee tax data.

Sender verification

CheckRed Flag
Email addressSlight misspellings or wrong domain
Reply-to addressDifferent from the sender address
Sending timeOutside normal business hours
Executive availabilityClaims to be traveling or in meetings

Request characteristics

CheckRed Flag
UrgencyDemands immediate response
ChannelAsks to bypass normal procedures
ScopeRequests all employee data at once
FormatWants data sent via email attachment
VerificationDiscourages phone confirmation

Communication patterns

CheckRed Flag
ToneUnusually brief or formal for the sender
GreetingGeneric or missing personalization
SignatureMissing or different from typical format
ContextNo prior discussion of this request

Any request for bulk employee W-2 data via email should trigger verification protocols, regardless of the apparent sender.

Verification protocol

Before releasing any tax data:

  1. Call the requester directly using a known phone number (not one provided in the email)
  2. Verify in person if the executive is on-site
  3. Check with IT security about the legitimacy of the request
  4. Consult your supervisor before sending sensitive data
  5. Review company policy for W-2 distribution procedures

How can organizations prevent W-2 phishing?

Policy controls

Establish written procedures for W-2 distribution that require multi-person authorization for bulk data requests. No single employee should be able to release all employee tax data.

Prohibit email transmission of W-2 forms. Use secure portals, encrypted file transfers, or physical distribution instead.

Require verbal verification for any executive request involving sensitive employee data. Make this mandatory, not optional.

Limit W-2 access to specific personnel with documented need. Reduce the number of employees who can fulfill such requests.

Technical controls

Implement email authentication (SPF, DKIM, DMARC) to detect spoofed sender addresses. Configure systems to flag external emails that appear to come from internal executives.

Enable external email warnings that display banners on messages originating outside the organization, even if the display name matches an internal executive.

Deploy email security solutions that detect BEC patterns, including urgent requests, executive impersonation, and sensitive data keywords.

Use multi-factor authentication on all email accounts, especially executives and HR personnel, to prevent account compromise.

Training and awareness

Conduct annual training specifically addressing W-2 phishing, timed before tax season begins (December or January).

Run phishing simulations that include BEC-style attacks targeting HR and payroll staff.

Establish clear reporting channels so employees know exactly how to escalate suspicious requests without fear of repercussion for delaying legitimate work.

Brief executives on the scam so they understand why staff may verify their requests through secondary channels.

What should you do if your organization fell victim?

Immediate response (First 24 Hours)

  1. Stop further disclosure by alerting all HR and payroll staff immediately
  2. Preserve evidence including the original email, headers, and any responses
  3. Document the scope by identifying exactly which employees' data was compromised
  4. Engage IT security to investigate potential account compromise
  5. Notify leadership and legal counsel

Report to the IRS

Email notification:

  • Send to: dataloss@irs.gov
  • Subject line: "W-2 Data Loss"
  • Include: Organization name, EIN, contact information, number of affected employees
  • Do not attach employee personally identifiable information

Phishing report:

  • Forward the scam email to: phishing@irs.gov
  • Subject line: "W-2 Scam"
  • Attach the email as a file to preserve headers

Report to Law Enforcement

FBI Internet Crime Complaint Center

  • Website: IC3.gov
  • File detailed complaint for federal tracking

Local FBI Field Office

  • Report for potential investigation of larger criminal operations

State Attorney General

  • Most states require breach notification; check your state's requirements

Employee notification

Notify all affected employees promptly with:

  • Clear explanation of what data was exposed
  • Steps they should take to protect themselves
  • Information about filing IRS Form 14039 (Identity Theft Affidavit)
  • Resources for credit monitoring (provide if possible)
  • Contact information for questions

Recommended employee actions:

  1. File taxes early before criminals can file fraudulent returns
  2. Respond promptly to any IRS notices
  3. Request an IRS Identity Protection PIN
  4. Place fraud alerts on credit reports
  5. Monitor credit reports for 12-24 months

IRS Form 14039

Affected employees should file IRS Form 14039, Identity Theft Affidavit, if:

  • They cannot file their tax return because a return was already filed using their SSN
  • The IRS sends a notice indicating a problem with their return
  • They receive a notice about wages from an unknown employer

Frequently Asked Questions

Why do attackers target W-2 forms specifically?

W-2 forms contain the complete data package needed for tax fraud: Social Security numbers, exact income figures, and employer information. Unlike partial data from other breaches, a W-2 provides everything required to file a convincing fraudulent tax return. Criminals can claim refunds before legitimate employees file, often receiving thousands of dollars per stolen identity.

How can I verify if a W-2 request from my CEO is legitimate?

Call the executive directly using a phone number you already have on file, not any number provided in the email. If they are traveling, contact their assistant or wait until verbal confirmation is possible. Never release bulk employee data based solely on an email request, regardless of how authentic it appears.

What should employees do if their W-2 was stolen in a company breach?

File your tax return as early as possible to beat fraudulent filings. If a return was already filed in your name, submit IRS Form 14039 (Identity Theft Affidavit) with a paper return. Place fraud alerts on your credit reports with all three bureaus. Request an IRS Identity Protection PIN for future tax years. Monitor your credit reports and IRS account for 12-24 months.

Are small businesses also targeted by W-2 phishing?

Yes. The IRS explicitly warns that W-2 phishing affects employers of all sizes. Small businesses are often more vulnerable because they may lack dedicated security personnel, formal verification procedures, and employee security training. A small business with 50 employees represents 50 potential fraudulent tax returns to criminals, making them worthwhile targets.

Where do I report a W-2 phishing attempt or breach?

Report the phishing email to phishing@irs.gov with "W-2 Scam" in the subject line. If data was actually lost, also email dataloss@irs.gov with "W-2 Data Loss" in the subject line. File a complaint with the FBI IC3 at IC3.gov. Check your state's data breach notification requirements and notify your state attorney general if required.

Executive summary (TL;DR)

W-2 phishing attacks impersonate executives to trick HR into sending employee tax data, enabling mass identity theft and tax fraud.

Key facts:

  • BEC attacks caused $2.77 billion in losses in 2024 (FBI IC3)
  • One attack can compromise an entire organization's workforce
  • Attacks peak January through April during tax season

Red flags:

  • Executive email requesting all W-2 data
  • Urgency and pressure to bypass normal procedures
  • Requests to send data via email attachment
  • Sender unavailable for phone verification
  • Slight email address misspellings

Prevention:

  • Require verbal verification for all bulk data requests
  • Prohibit emailing W-2 forms
  • Implement multi-person authorization
  • Train HR and payroll staff annually
  • Deploy email authentication (SPF, DKIM, DMARC)

If compromised:

  • Report to dataloss@irs.gov and phishing@irs.gov
  • File with FBI IC3
  • Notify all affected employees immediately
  • Advise employees to file taxes early and request IRS IP PINs

Never send W-2 data based solely on an email request. Always verify by phone.

Sources

  • FBI Internet Crime Complaint Center. (2025). 2024 IC3 Annual Report. ic3.gov
  • Internal Revenue Service. (2025). Employers Beware of W-2 Phishing Scams. irs.gov
  • Internal Revenue Service. (2025). Form W-2/SSN Data Theft: Information for Businesses. irs.gov
  • Internal Revenue Service. (2025). Report Phishing and Online Scams. irs.gov/report-phishing
  • National Institute of Standards and Technology. Phishing Guidance. nist.gov

This article is provided for educational purposes by SO Email Security. Report W-2 phishing attempts to phishing@irs.gov. For specific legal or tax advice, consult qualified professionals.