We use cookies to improve your experience and optimize user-friendliness. Read our cookie policy for more information on the cookies we use and how to delete or block them. To continue browsing our site, please click accept.

Dangerous W-2 Phishing Scam Alert

Dangerous W-2 Phishing Scam Alert

The Internal Revenue Service (“IRS”), state agencies and the tax industry have issued severe warnings to employers relative to W-2 email phishing scams (“scams”).
These phishing scam occurrences initially targeted corporate employers, but have now spread to other sectors such as healthcare organizations, nonprofit organizations, schools, chain restaurants, temporary staffing agencies, shipping and freight companies and tribal casinos. These scam emails that appear to be from company executives requesting personal employee information may subject employers to serious data loss, and also put one’s employees at personal risk of identity theft.

How the Scam Works

Cybercriminals disguise emails to make them look like they are being sent by an executive of the organization by using various spoofing techniques. These disguised emails are usually sent to an individual in either the human resources or payroll departments.  The email typically requests a list of all employees and a copy of their Form W-2 or a PDF file of all the Forms W-2 from a given year or years.

Examples of the email scam, as provided by the IRS, are as follows:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review;
  • Can you send me the updated list of employees with full details (name, Social Security number, date of birth, home address, salary)?; or
  • I want you to send me the list of W-2 copy of employee’s wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

In an updated version of the scam, cybercriminals are also adding to this a wire transfer scam. This is accomplished through a follow up disguised email that requests a wire transfer be directed to a cybercriminal’s account.

Reporting W-2 Theft

The IRS has issued guidance on its website dated March 28, 2017 “Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.” If the IRS is notified quickly, they may be able to help mitigate the loss and protect employees from any tax-related identity theft by taking the following steps:

1. Contacting tax and law enforcement agencies:

  • Email the IRS at dataloss@irs.gov with information including the taxpayer’s business name, employer identification number, contact name, contact number, summary of how the data loss occurred and the number of employees affected.
  • Email the Federation of Tax Administrators at StateAlert@taxadmin.org to obtain information on alerting state tax authorities. Tax identity theft could also impact tax accounts with the states as well as the IRS.
  • It is also recommended to contact other law enforcement officials. The IRS recommends filing a complaint with the Federal Bureau of Investigations Internet Crime Complaint Center (“IC3”).

2. Inform Employees that their W-2 data was stolen:

Employers should let employees know that cybercriminals who have stolen employee information may file fraudulent tax returns to claim refunds or may sell the data to others who may perpetrate crimes. The IRS suggests to provide employees with formal IRS information as follows: (1) the Taxpayer Guide to Identity Theft, (2) IRS Publication 5027 (Identity Theft Information for Taxpayers), and (3) IRS Publication 4524 (Security Awareness for Taxpayers). In addition, the Federal Trade Commission also offers additional guidance. Employees can file a Form 14039, Identity Theft Affidavit if their tax information has been compromised.

3. Report the Phishing Email:

Whether or not an employer fell victim to the scam, they should forward the phishing scam email to the IRS at phishing@IRS.gov. The IRS will need the email header provided in plain ASCII text format. The phishing email should be saved as an email file and attached to the email, with the subject “W-2 Scam”. They urge employers not to send any sensitive employee data such as Form W-2 or Social Security number. They also recommend filing a complaint with the IC3.

W-2 Verification Program

In an attempt to fight identity theft, the IRS and payroll service providers have partnered in an initiative to place a 16-digit verification code on a sample of Forms W-2. In 2016 there were approximately 47 million Forms W-2 filed using these codes, which is a significant increase form the 2 million filed in 2015. The verification code appears on Form W-2, Copy B, To be filed with employee’s federal tax return, and copy C, For employee’s records.

The verification code is recommended (but not required) by the IRS to be entered into tax software when a return is electronically filed. The code enables the IRS to validate the authenticity of the W-2 filed with a personal income tax return. According to the IRS, an increasing amount of taxpayers are entering these codes. The IRS has also reported that the verification code has been successful 97% of the time in W-2 authentication. As this program expands, this can be an effective tool used to prevent a fraudulent tax return from being filed.



Employers and employees should be educated so as not to fall victim to this scam or any other cyber-crime. Awareness and preventative measures should be taken to avoid evolving scams. Employers should take precautions, routinely educate employees, and preform cyber security reviews to protect all company data.

Ask Our Experts

To ensure compliance with U.S. Treasury rules, unless expressly stated otherwise, any U.S. tax advice contained in this communication is not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.

Previous Post
Next Post


Get news updates and event information from Withum