IRS Warns of New Surge in W-2 Phishing Scheme in 2018
February 14, 2018

By Susan S. Waag

Introduction and Background

A popular W-2 phishing scam that involves fooling payroll personnel into turning over sensitive employee data has continued to grow in the last few years. Reports to from victims and others about this scam jumped to approximately 900 employers in 2017, compared to only 100 in 2016. More than 200 employers were actually victimized in 2017, which translated into hundreds of thousands of employees who had their identities compromised. High-profile victims of this scam have included tech companies Snapchat (Santa Monica, California) and Seagate Technology (Cupertino, California).

The IRS expects 2018 to produce even more victims, and your back-office payment staff must be even more vigilant this year. Note that although it is the employees who suffer the most harm, employers also face stiff liability as the responsible party. Employers should be aware that cybercriminals’ scams constantly evolve. Finance and payroll personnel should be alert to any unusual requests for employee data. Lets dig into some of the details so that you can protect your business from these destructive cybercriminals.

No Business is Immune

The IRS says the Form W-2 scam has emerged as one of the most damaging tax scams in history. Nobody is immune: the scam has affected all types of employers, from small and large businesses to public schools and universities, hospitals, tribal governments and charities. By alerting employers now, the IRS hopes to limit the success of this scam in 2018.

How the scam works

Cybercriminals do their homework, identifying chief operating officers, key executives or others in positions of authority at your business. The fraudsters then pose as an executive from your company, sending fraudulent emails to payroll personnel requesting electronic copies of W-2 forms for every employee in the entire company. The W-2s contain the employee’s name, address, Social Security number, income and withholdings. Criminals use that information to file fraudulent tax returns, or sell the information to other cybercriminals. Either way, all of your employees’ sensitive information is out there to be exploited, causing massive financial damage to the employees, and substantial liability to your company.

How they do it

These electronic criminals often use email addresses that are nearly identical to those of the actual executives at your company to perpetrate the con. Example: (correct email) vs. (scammer email). In this case, “TelephoneCo” was changed by substituting a “1” (number one) for an “l” (letter “el”), resulting in the very similar looking “” (depending on the font). Given the high volume of emails processed daily by employees, along with portable electronic devices with small text sizes, it is not surprising that this scam is hard to detect. There are numerous other similar methods used by the scammers.

The fraudulent emails often initiate the conversation in a friendly manner, resulting in the receiving employee “letting their guard down”, often assisted with personal information acquired in social media. To make matters even worse, in a growing number of cases, after the fraudsters acquired the payroll information (and the confidence of victim of the scam), they quickly followed that up with a request for a wire transfer to add even more to their haul.

Protect Thyself

Obviously, the first move is to make all applicable personnel aware of this scam, and the extraordinary cost of falling victim to its deceit. Next, employers should consider creating a policy to limit the number of employees who have authority to handle W-2 data requests. Additional verification procedures should be adopted to thoroughly validate all requests before dispersing the sensitive data.

Victims Must Notify the IRS Immediately

If your business or organization has been victimized by these attacks, notify the IRS immediately. In this case, the IRS is your friend and can help minimize your employee’s losses from the financial theft. Unfortunately, in many cases, it takes weeks or even months for a business to realize that they are victims of a vicious phishing attack.

The IRS established a special email notification address specifically for employers to report Form W-2 data thefts. Here’s how it works: email the IRS at and notify the IRS of Form W-2 data loss and provide full contact information, as listed below. Use “W-2 Data Loss “ in the email subject line so that it can be routed properly. Do not attach any personal employee information!

Include the following information:

  • Business name
  • Business employer identification number (EIN) associated with the data loss
  • Contact name
  • Contact phone number
  • Summary of how the data loss occurred
  • Volume of employees impacted

If you received a phishing email but did not fall victim to the scam, send the complete headers from the email to and use “W-2 Scam” in the subject line. For more information from the IRS on what to do, see the following 2 links:

  1. IRS warning issued in January 2018:
  2. Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.

Susan S. Waag, Esq. is an employment law attorney with LightGabler in San Luis Obispo, California. She provides advice to employers of all sizes on problem prevention and compliance with the myriad of laws impacting California businesses. Contact her at (805) 783-2300 or for more information.

Copyright © LightGabler LLPContact | Our People | Website by Dan Gilroy Design