IRS Issues W2 Phishing Scam Warning

Cybercriminals have been sending huge numbers of W2 phishing scam emails over the past few weeks. Tax season usually sees an increase in scam emails being sent, although this year cybercriminals have started their scamming campaigns even earlier. The victim count is also growing rapidly.

The W2 phishing scam in question is an email request for copies of employees’ W-2 forms. The scammers impersonate the CEO, CFO or another executive in the organization that is likely to have a legitimate need for the data. Cybercriminals are using a variety of techniques to spoof company email addresses. A casual glance at the email address of the sender will not reveal any clues that the email is not genuine.

Since the email appears to have been sent from an authority figure, employees are less likely to question the request. Instead, they just respond and send the data as requested. In some cases, payroll and HR employees have sent thousands of W-2 Forms to the scammers. The data contained in the forms is then used to file fraudulent tax returns in the names of the victims. The data can also be used for a multitude of other types of fraud.

While businesses were extensively targeted last year, now a much wider range of organizations are being scammed. School districts and higher education establishments have been targeted, as have restaurant chains, and healthcare organizations.

The IRS W2 phishing scam warning specifically mentions tribal organizations, shipping and freight firms, healthcare organizations, school districts, temp agencies, non-profits, and restaurant chains, all of which are in the attackers’ crosshairs.

According to IRS Commissioner John Koskinen, “This is one of the most dangerous email phishing scams we’ve seen in a long time.”

Organizations may suffer even greater losses than W-2 Form data. A new trend has emerged this year that sees the W2 phishing scam combined with a request to make a fraudulent bank transfer. The first stage of the attack involves sending the W2 phishing scam email to a member of the human resources or payroll department.

When W-2 Form data is obtained, the second part of the attack occurs. The comptroller or a payroll employee is sent a request to make a bank transfer to the attackers account. The email similarly appears to have been sent from the CFO or CEO’s email account. Some organizations have reported they have fallen for both scams and have sent funds as requested as well the W-2 Forms of all employees that had a taxable income from the past fiscal year.

CSO suggests that at least 29,000 employees have already had their tax information disclosed to tax fraudsters as a result of payroll/hr employees falling for the W2 phishing scam. With more than two months left of tax season, many more victims are likely to be created. At present, at least 23 organizations have reported that they have fallen for the scam.

The message to all organizations is to exercise extreme caution and to instruct all payroll and HR staff to be on high alert.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of