The IRS has alerted tax professionals, employers, and other taxpayers, once again, about a W-2 email scam that often surges during filing season. The W-2 scam emerged as one of the most dangerous and successful phishing attacks last year when hundreds of employers and thousands of employees fell victim to the scheme. This scam is such a threat to taxpayers that the IRS has established a special reporting process.

Employers at Risk

During the last two tax seasons, cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces. All employers are at risk from this scam. The IRS urges employers to be aware of this scheme and to educate their employees, especially those in human resources and payroll departments who are often the first targets, about the scheme. Further, employers are urged to limit the number of employees who have authority to handle Form W-2 requests. In addition, such employees should require additional verification procedures to validate requests before emailing sensitive data.

The W-2 Email Scams

Using a technique known as business email compromise (BEC) or business email spoofing (BES), fraudsters posing as authority figures send email to payroll personnel requesting copies of Forms W-2 for all employees. The initial email may be a friendly, “hi, are you working today,” exchange before the fraudster asks for the W-2s. In several reported cases, after the fraudsters acquired the workforce information, they immediately requested a wire transfer. The Form W-2 information is valuable because it contains the employee’s name, address, Social Security number, income, and withheld taxes. Criminals can use that information to file fraudulent tax returns, or post it for sale on the Dark Net.

Reporting Incidents

If an employer receives a suspect email, the employer should forward the entire email to and use “W2 Scam” in the subject line.

Employers who have suffered a data loss should notify the IRS at The email should include “W2 Data Loss” in the subject line and the following information in the body:

  • -Business name;
  • -Business employer identification number (EIN) associated with the data loss;
  • -Contact name;
  • -Contact phone number;
  • -Summary of how the data loss occurred; and
  • -Number of employees impacted.

Do not attach any employee personally identifiable information data. Additional information is also available here.

For more information on how to protect your employee information from scammers, contact Larson & Company today.