Beware of Phishing W-2 Scheme Targeting Businesses

February 22, 2017

The IRS has issued a warning about a W-2 phishing scheme that is targeting businesses and organizations across the United States. Just recently, a Wyoming hospital fell victim to this scam when someone posing as an internal executive convinced an employee to release W-2 information for over 1,400 employees. With tax season in full swing, these cyber scammers are stepping up their efforts around the country. Here is what you need to know:

The Scheme

Recycling tactics from 2016, cybercriminals are using spoofing techniques to disguise a phishing email to appear as if it is from an organization executive. The email is then sent to a targeted employee in the payroll or human resources department, requesting a list of all employees and their Forms W-2. The email often includes a signature line that appears identical to those used in legitimate internal emails.

As an added twist this year, the crooks are following up the W-2 email with an additional message to the payroll or finance department requesting a funds transfer to a specific account. The dual approach has proven effective – the IRS reports that some companies have lost both W-2s and thousands of dollars to this scheme.

The scammers are also actively monitoring the spoof email accounts and related phone numbers sent with the fraudulent messages. This allows them to quickly reply to follow-up inquiries from the targeted employees, lending further legitimacy to the fraudulent requests.

What To Do

  1. Immediately alert and train all of your employees to be vigilant of these tactics and related scams. Employees should immediately question the motives of anyone requesting W-2 information or wire transfers outside of the normal course of established correspondence systems and practices.
  2. Set up policies that require independent internal verification of sender identity and authority before releasing any sensitive information. Consider requiring employees to obtain supervisory approval and verify such requests by face-to-face contact or use of an established internal phone number.
  3. Work with your IT staff to set up notifications and procedures for your email system that are designed to inform users if an email originated within or outside of the organization.
  4. Warn your employees about using search engines to seek out technical help with taxes or tax software. Cybercriminals are lurking on the web waiting to take advantage of a misplaced “tech support” inquiry that could expose your network to a cyberattack. They also need to be leery of any IRS employee or “tech support” calls asking for information or offering assistance.
  5. If your employees receive a W-2 or related wire transfer scam email, forward it to and place “W2 Scam” in the subject line. You should also file a complaint with the FBI’s Internet Crime Complaint Center. For updated prevention tips and what do to if identifying information is stolen, visit and

If your company falls victim to this or a related scheme involving the loss of sensitive data, our Cybersecurity team can help minimize the fallout and implement strategies for avoiding future problems. For help with these or any other cybersecurity concerns, please contact Hancock Daniel’s Cybersecurity team – Jerry Canaan, Mike Gill, Bill Hall, or John Mumford.

The information contained in this advisory is for general educational purposes only. It is presented with the understanding that neither the author nor Hancock, Daniel & Johnson, P.C., PC, is offering any legal or other professional services. Since the law in many areas is complex and can change rapidly, this information may not apply to a given factual situation and can become outdated. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice. Under no circumstances will the author or Hancock, Daniel & Johnson, P.C., PC be liable for any direct, indirect, or consequential damages resulting from the use of this material.

Print Friendly, PDF & Email