Tax authorities warn employers this year about W-2 phishing scams that victimized organizations — and thousands of employees — last year. During the last two tax seasons, cyber-crooks conned payroll personnel or those with access to payroll information into disclosing sensitive information for entire work forces, from small and large businesses to public schools and universities, hospitals, governments and charities.

Cyber-criminals pinpoint chief operating officers, school executives or others in authority. Fraudsters pose as execs to e-mail payroll personnel, requesting copies of W-2s for all employees. Criminals use that information to file fake returns or sell it on the Dark Web. Reports of this scam jumped to some 900 in 2017, compared with slightly more than 100 in 2016. Last year, more than 200 employers were victimized.

The Internal Revenue Service is urging employers to consider a policy to limit the number of employees who can handle W-2 requests and require additional verification procedures. If victims notify the IRS, the agency can also help protect employees from tax-related ID theft. It can also take weeks for businesses and organizations to realize they’ve been scammed.

Employers can report W-2 data thefts to They should type “W2 Data Loss” in the subject line, attach no employee personally identifiable information, and include:
• The business name and EIN associated with the data loss;
• A contact name and phone number;
• A summary of how the data loss occurred; and,
• The volume of employees impacted.

Businesses and organizations that fall victim to the scam or that only receive a suspect email can send the full e-mail headers to, using “W2 Scam” in the subject line.

Contact an MCB Accounting & Tax Advisor if you need help with payroll and W-2 reporting internal controls at 703.218.3600.

Share This