News & Events


IRS warns a damaging W-2 phishing email scam is spreading aggressively beyond corporate America.

** Companies are urged to alert their payroll, HR and finance employees to guard against the scam **


Two weeks ago the IRS issued a warning about a W-2 phishing email scam. Less than a week later the IRS issued an urgent alert stressing the scam is spreading aggressively beyond corporate America and into schools, hospitals, nonprofits, middle market companies, etc.

What is it?

Rather than going after W-2 data on an individual by individual basis, hackers have shifted their focus to a much more damaging target - mass data thefts. The W-2 phishing email scam works like this: criminals use spoofing techniques to disguise an email to make it appear as if it is coming from a company executive (CEO, President) and it is sent to payroll or HR employees requesting employee W-2 data. Cybercriminals specifically target less experienced employees working with sensitive data by researching company employees via LinkedIn or other sites. Unfortunately these less experienced employees will often create a zip file of all W-2s and attach it to a reply email, thus exposing all of the company's employees to identity theft.

Here are some examples of language used in the emails to request the W-2 data:
  • "Kindly send me the individual 2016 W2 (PDF) and earnings summary of all W2 of our company staff for a quick review."
  • "Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)"
  • "I want you to send me the list of W2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP."
Why is the W-2 phishing scam so harmful?
Cybercriminals will use the information obtained in these thefts to file fraudulent tax returns seeking refunds. In the case of larger organizations, the number of employees impacted will be in the thousands or beyond. Unfortunately in many cases the theft is not recognized until employees who are victims of the scam have their tax returns rejected by the IRS as a duplicate filing.

What can you do?
  1. Make sure your company's payroll, HR and finance employees are aware they likely will be targeted by this scam. These employees need to be on high alert.
  2. Implement procedures that prohibit the emailing of any sensitive employee data (e.g., W-2s, social security numbers) and restrict the ability to initiate and process wire transfers.
  3. Forward this alert to any contacts you have at nonprofit organizations, schools districts, middle market companies, etc. to warn them to the dangers of this W-2 scam.

UHY Advisors can help develop the training and awareness programs you need to avoid falling victim to these types of scams. Contact your local UHY LLP professional, or visit us the web.