(Photo: Jason Doiy / ALM)
(Photo: Jason Doiy / ALM)

Editor’s note: This article appeared in The Corporate Counselor, an ALM publication covering the latest changes in business regulatory climates. For Corporate Counsel, In-House Counsel, Managing Partners. Visit the website to learn more.

In 2016, numerous businesses fell victim to a surge of phishing scams involving W-2 forms. In response, the IRS sent a broad consumer alert regarding these schemes after seeing an approximate 400% surge in phishing and malware attacks during the 2016 season. As the tax filing season ramps up for 2017, we have already seen a number of successful attempts to obtain W-2 forms from unsuspecting employees.

While phishing scams can be hard to predict and prevent, companies can educate their HR and payroll departments to help avoid falling victim to these types of schemes. Moreover, appropriate training can help employees identify and stop the most common types of phishing scams. Finally, even if the scam succeeds, there are steps a company can take to prepare a prompt and effective response to affected individuals.

What Happens? Details About the Scam

The scam usually begins with a “spoofing” email that appears to have been sent by a company’s CEO or CFO to one or more employees in the Human Resources or payroll department. The email typically requests that all of the company’s employees’ W-2s be sent in PDF format via return message or uploaded to a file sharing site. Unbeknownst to the HR or payroll department employees, the email did not come from the CEO or CFO, but from a criminal who had conducted some research to, at the very least, identify the names and email addresses of the CEO or CFO as well as the targeted human resources or payroll department employees. Here is an example:

From: Jim.Smith@company.com
To: Tony.Adams@company.com
Subject: Immediate Response Needed
Date: February 1, 2017 10:55 AM

Hi Tony,

I need copies of all employees’ W-2 wage and tax statements for 2016 to complete a business transaction. I need them in PDF format. You can send them as an attachment.


Jim Smith

The email appears to be a completely legitimate request from a legitimate email address, but in reality the email is from somewhere entirely different and has the “REPLY TO” field set to an email address controlled by the criminal. While the email headers would show the email address, they are typically hidden from the end user. Other variations on the content of the W-2 requests can be found in the IRS’s alert on the topic issued March 1, 2016.

Criminals were successful in filing fraudulent tax returns within days (and perhaps hours) of obtaining the W-2s. The time and effort it takes to steal this valuable information — a few simple, targeted emails to unsuspecting employees — is significantly less than the time and effort it takes to infiltrate a network. For this reason, this phishing scam was extremely popular during the 2016 tax season, and has already shown signs of increasing during the 2017 tax season.

Actions You Can Take to Prevent Your Company from Becoming a Victim

Companies should remind employees, especially those who handle W-2s and other tax forms, to be aware of the threat. Employees should be advised that email requests for any type of sensitive data should be confirmed as legitimate through direct contact with the apparent sender via a phone call. If the employee is uncomfortable contacting the sender to confirm the request (which may be the case if the sender is purportedly the CEO or CFO), the employee should contact his or her supervisor, and supervisors should advise the employee not to send W-2s until the request is confirmed. Employees should be further advised that, rather than responding directly to the email, they should send a new email where they enter the recipient’s email address manually. Employees should also be reminded of any policies and procedures regarding safeguarding personal information.

It is important to note as well that temp employees and contractors may be targeted by the scam because they are newer, lack familiarity with company executives, and may not have been provided the same training as permanent employees. We have seen several successful phishing attacks that targeted temp employees for these reasons. Companies should take care to ensure that all individuals who have access to employee W-2s are aware of the potential threat of phishing emails and are trained on steps they must take to prevent the company from becoming a victim. Employees should also be trained not to click on links or download attachments from unknown emails.

As part of its information security best practices, a company should identify key internal individuals with privacy and security roles who should be notified in the event it learns that an employee has potentially responded to a phishing email. By having this team in place prior to any security incident, including a phishing scam, a company can ensure that it is prepared to respond quickly should an incident occur.

What Your Company Should Do if It Becomes a Victim

Of course, even the most comprehensive training may not prevent a phishing scam from successfully targeting an employee. Companies should additionally advise employees that if they realize that they have become a victim of a phishing scam, they must immediately advise their supervisor. After learning of an incident, there are several steps a company can take to ensure a prompt and effective response:

  • Notify key internal individuals with privacy and security roles of the incident and begin an internal investigation to confirm details;

  • Identify affected former and current employees whose W-2s were sent to the attacker;

  • Ensure that copies of the phishing email and response are preserved for potential forensic analysis and to provide to law enforcement;

  • Prepare messaging to employees once the investigation yields accurate information about the incident to ensure a consistent message is communicated;

  • Notify the FBI, IRS, and state taxing authorities of the incident;

  • Consider obtaining credit monitoring and identity theft resolution services; and

  • Engage counsel to help determine legal notification duties, including to individuals and regulatory agencies, as applicable.

While companies often want to notify their employees as quickly as possible, it is important to prepare messaging that provides accurate information and does not unnecessarily alarm affected individuals. Further an affected company must keep potential liability issues in mind. While it is a laudable goal to notify employees quickly and provide them with information to protect themselves from tax fraud and identity theft, a company must also ensure that it does not assume blame for an incident that is ultimately the result of a third-party attack.


It is clear that for the above outlined reasons — namely, the relative ease and lack of technical knowledge necessary to perpetuate this scam — that the W-2 phishing scams popular in 2016 will continue in 2017. To avoid falling victim to these frauds, companies can and should provide information to employees to help employees recognize potential phishing emails before responding to them. If, despite best efforts, a phishing email is successful at enticing an employee to send W-2s, companies must prepare a coordinated response with consistent messaging that provides affected employees with enough information to protect themselves.