It's Tax Season, Safeguard Your Organization's W-2s | VerSprite It's Tax Season, Safeguard Your Organization's W-2s | VerSprite

It’s Tax Season, Safeguard Your Organization’s W-2s

Written By: Ray Strubinger

Cybersecurity Resources

It’s tax season in the United States, and many organizations have just prepared their employee’s W-2s. You may have recently received the form in an electronic or paper format and are prepared for the opening day of tax filing on January 29th. Tax season also provides an opportunity for cyber criminals to attack your organization with a social engineering technique commonly referred to as phishing. Criminals are interested in collecting W-2s as the information on the form enables them to file many fraudulent tax returns, claim refunds and in many cases, avoid detection for months until the legitimate tax return is filed.

The last few years have seen the rise of “W-2 scams” (a type of phishing attack) where criminals, posing as the company CEO or a similar executive, email one or more employees in payroll, accounting, or human resources with an urgent request to send all W-2 forms. Typically these requests will be written so they appear to have been sent from one of the organization’s executives and the message will often contain a comment about being unreachable along with an immediate, pressing need for the W-2s. The sense of urgency and appearance of coming from a corporate executive are common psychological tactics used in phishing scams to increase the response rate.

How do the attackers identify the employees to target with their phishing emails? This information is often found on the internet. Corporate websites may be disclosing the roles of those who would be ripe to target while in other cases, the attackers will comb LinkedIn or other public forums to find job tiles, email addresses and other details that are useful in crafting a believable message that spurs the recipient to respond.

Preventative Steps

  • Limit the number of people within the organization who can access or process W-2s and other sensitive documents.
  • Have the team responsible for managing email modify the subject line of messages to clearly identify those that come from outside the organization.
  • Create a validation process that enables employees to verify the legitimacy of a request involving sensitive information.
    • Call, text or message (do not respond to the email by using reply) the apparent sender to confirm the request. If email must be used to make contact, compose a separate email to the executive impersonated in the email and make sure you’re not replying to the attacker before you send the confirmation.
  • Raise awareness – send announcements about these and other scams and train employees so they know how to respond.
    • Do not click links contained in the email or open any attachments accompanying the email.
    • Contact your IT or Security organization to alert them about the phishing email.

Did your organization receive a W-2 phishing email or fall victim?

If your organization received a W-2 phish or fell victim and responded to the attacker’s request, here are some initial steps to follow.

If you received a W-2 phishing email but did not respond to the attacker

  • Forward the email to: [email protected] and use the subject line, “W-2 scam.” Include the email headers if possible to assist the IRS in tracing the email.
  • File a complaint with the FBI Internet Crime Complaint Center by visiting

If you received a W-2 phish and fell victim

  • Forward the email to: [email protected] and use the subject line, “W-2 scam.” Provide contact information in the body of the email and include the email headers if possible.
  • File a complaint with the FBI Internet Crime Complaint Center by visiting

Key Dates for 2017 Tax Returns

Here are several key dates related to this year’s tax filings

  • January 29 – first day filings are accepted by the IRS.
  • February 27 – first week for tax refunds.
  • April 17 – filing deadline due to April 15th falling on a Sunday and April 16th being a holiday in D.C.


Need assistance with prevention, training or guidance in responding to this or similar attacks?

Contact VerSprite at 1-888-242-0263 to discuss.

Digital Forensics and Incident Response

VerSprite's emergency response teams will help your organization identify, contain, eradicate, and respond to security incidents.

We use our expertise to implement a practical strategy for incident response preparation and management, intrusion hunting/compromise assessment, and prevention and remediation recommendations. Learn More →

We are an international squad of professionals working as one.