Cyber Criminals Target Employees with W-2 Phishing Scam

Cyber Criminals Target Employees with W-2 Phishing Scam

The W-2 Phishing Scam and Understanding Social Engineering

It’s tax season in the United States, and many organizations have just prepared their employee’s W-2s. You may have recently received the form in an electronic or paper format and are prepared for the opening day of tax filing on January 29th. Tax season also provides an opportunity for cyber criminals to attack your organization with a social engineering technique commonly referred to as phishing.

Criminals are interested in collecting W-2s as the information on the form enables them to file many fraudulent tax returns, claim refunds and in many cases, avoid detection for months until the legitimate tax return is filed.

Phishing Attacks Are Increasing

The last few years have seen the rise of “W-2 scams” (a type of phishing attack) where criminals, posing as the company CEO or a similar executive, email one or more employees in payroll, accounting, or human resources with an urgent request to send all W-2 forms.

Typically these requests will be written so they appear to have been sent from one of the organization’s executives and the message will often contain a comment about being unreachable along with an immediate, pressing need for the W-2s. The sense of urgency and appearance of coming from a corporate executive are common psychological tactics used in phishing scams to increase the response rate.

How do Cyber Attackers Identify the Employees to Target with Their Phishing Emails?

This information is often found on the internet. Corporate websites may be disclosing the roles of those who would be ripe to target while in other cases, the attackers will comb LinkedIn or other public forums to find job tiles, email addresses and other details that are useful in crafting a believable message that spurs the recipient to respond.

Preventative Steps to Protect Against Phishing

  • Limit the number of people within the organization who can access or process W-2s and other sensitive documents.
  • Have the team responsible for managing email modify the subject line of messages to clearly identify those that come from outside the organization.
  • Create a validation process that enables employees to verify the legitimacy of a request involving sensitive information.
    • Call, text or message (do not respond to the email by using reply) the apparent sender to confirm the request. If email must be used to make contact, compose a separate email to the executive impersonated in the email and make sure you’re not replying to the attacker before you send the confirmation.
  • Raise awareness – send announcements about these and other scams and train employees so they know how to respond.
    • Do not click links contained in the email or open any attachments accompanying the email.
    • Contact your IT or Security organization to alert them about the phishing email.

Victims of W-2 Phishing Emails

Did your organization receive a W-2 phishing email or fall victim? If your organization received a W-2 phish or fell victim and responded to the attacker’s request, here are some initial steps to follow.

If you received a W-2 phishing email, but did not respond to the attacker, then we suggest the following next steps:

  • Forward the email to: [email protected] and use the subject line, “W-2 scam.” Include the email headers if possible to assist the IRS in tracing the email.
  • File a complaint with the FBI Internet Crime Complaint Center by visiting

If you received a W-2 phish and fell victim

  • Forward the email to: [email protected] and use the subject line, “W-2 scam.” Provide contact information in the body of the email and include the email headers if possible.
  • File a complaint with the FBI Internet Crime Complaint Center by visiting

Key Dates for Tax Returns

Here are several key dates related to this year’s tax filings

  • January 29 – first day filings are accepted by the IRS.
  • February 27 – first week for tax refunds.
  • April 17 – filing deadline due to April 15th falling on a Sunday and April 16th being a holiday in D.C.

Need assistance with prevention, training or guidance in responding to this or similar attacks? Contact VerSprite here.

W-2 Phishing Scam: Understand the Evolving Trends in Social Engineering

As cybercriminals evolve their tactics in social engineering, we too must evolve our procedures in response and prevention. Learn more about social engineering trends and discover how to protect your organization against cybercriminals. 

Social Engineering

View Presenation →