W-2 Phishing Scams Increasingly Target Payroll Personnel

W-2 Phishing Scam

The W-2 phishing scam often targets payroll and HR professionals. Learn how to prevent it Ñ and what to do if your data is compromised.

Often appearing to be from a corporate executive, it begins with a friendly "Are you working today?" email. But the W-2 phishing scam quickly escalates to a request for W-2 information.

What happens when fraudsters succeed? "Cybercriminals who successfully steal W-2 forms immediately attempt to monetize their thefts," notes the IRS. "Criminals may immediately attempt to file fraudulent tax returns claiming a refund. Or, they may sell the data on the internet's black market sites to others who file fraudulent tax returns or use the names and SSNs to create other crimes."

Here's what finance leaders need to know about avoiding W-2 phishing scams and limiting the damage if one should occur.


Any employee — especially in this case HR or payroll staff — who has access to sensitive information should receive regular training and updates on phishing scams and how to avoid them. The IRS notes, for example, that it "never initiates contact with taxpayers by email, text messages or social media channels to request personal or financial information. Any contact from the IRS will be in response to a contact initiated by you. Cybercriminals, when they learn of a new IRS process, often create false IRS websites and IRS impersonation emails."

In addition, cybersecurity experts strongly recommend auditing and potentially reducing the number of employees with access to W-2 and other sensitive information. The more people with access, the greater the risk of falling victim to a scam.

Mitigating Losses

In the unfortunate event that employee information has been compromised, speed is of the essence. As soon as you believe that you may be a victim of a W-2 phishing scam, the IRS recommends emailing dataloss@irs.gov to alert them of a W-2 data loss. Putting "W-2 Data Loss" in the subject line will help ensure that the email ends up in the right place. In the email, make sure to include the following information:

  • Business name
  • Business employer identification number (EIN) associated with the data loss
  • Contact name
  • Contact phone number
  • Summary of how the data loss occurred
  • Volume of employees impacted

In the email, do not include any employee personally identifiable information.

You should also communicate with affected employees as quickly as possible and refer them to government resources like the "Taxpayer Guide to Identity Theft" and IRS Publication 5027, "Identity Theft Information for Taxpayers."

Stay up-to-date on the latest human capital management insights for finance leaders: subscribe to our monthly e-newsletter.