Blog
← Back to Blog
April 15, 2017 financial

Tax Season Phishing Is Here. Don't Fall for the W-2 Scam.

Tax forms and financial documents

It's tax season, which means two things are certain: you owe money to the IRS, and criminals are trying to steal it. Tax-themed phishing attacks spike dramatically between January and April, and this year they're more sophisticated than ever.

The IRS has already issued multiple alerts about a W-2 phishing scam that has hit hundreds of organizations. And it's devastatingly simple.

The W-2 Scam

Here's how it works:

  1. An attacker sends an email that appears to come from a company executive (CEO, managing partner, practice owner)
  2. The email is sent to whoever handles payroll or HR
  3. It says something like: "I need copies of all employee W-2 forms sent to me immediately. Working with our tax advisor on a deadline."
  4. The payroll person, wanting to be responsive to the boss, compiles the W-2s and sends them
  5. The attacker now has names, Social Security numbers, addresses, and income information for every employee

The IRS reported that this scam affected over 200 organizations in 2016, resulting in hundreds of thousands of compromised employee records. It's already trending higher in 2017.

Why It Works

This scam is effective because it exploits three things:

  • Authority: The request appears to come from the boss. People don't question the boss.
  • Urgency: "Tax deadline" creates time pressure that discourages verification.
  • Routine: During tax season, sharing W-2 data with accountants and advisors is normal. The request doesn't seem unusual in context.

Other Tax Season Threats

Fake IRS Emails

The IRS does not initiate contact via email. Ever. Any email claiming to be from the IRS is a scam. Period. These emails typically demand immediate payment, threaten arrest, or claim you're owed a refund (just enter your bank details to receive it). Delete them.

Fraudulent Tax Preparer Emails

Emails impersonating tax preparation software (TurboTax, H&R Block) or accounting firms are common during tax season. They contain links to fake login pages designed to steal your credentials or attachments loaded with malware.

Client Impersonation

For CPA firms and financial advisors, attackers may impersonate clients requesting tax documents be sent to a new email address. Always verify changes to client contact information through a known, separate communication channel.

Protecting Your Practice

  1. Establish a verbal verification policy. Any request for W-2s, tax data, or financial records via email gets verified with a phone call. No exceptions. Even if it's from the boss.
  2. Educate your payroll staff. Make sure whoever handles HR and payroll knows about the W-2 scam specifically. This is targeted at them.
  3. Use secure file sharing. Don't email W-2s or tax documents as attachments. Use encrypted file sharing or a secure portal.
  4. Enable email authentication. SPF, DKIM, and DMARC make it harder for attackers to spoof your domain in emails to your own staff.
  5. Report attempts. If your practice receives a W-2 phishing attempt, report it to the IRS at phishing@irs.gov and to the FBI's Internet Crime Complaint Center (IC3).

Tax season is stressful enough without criminals adding to it. Stay vigilant, verify requests, and happy filing.