IRS Warns of W-2 Scam Targeting Payroll and HR Departments

The IRS is warning companies of an email scam where a corporate officer seemingly requests employee W-2s to get private information.



The IRS recently renewed its warning about an email scam that uses a corporate officer’s name to request employee Forms W-2 from company payroll or human resources departments.  This phishing variation is known as a “spoofing” email.

The spoofing email may contain the actual name of the company chief executive officer. In this particular variation, the “CEO” sends an email to a company payroll office or human resource employee and requests a list of employees and information including SSNs.

Last year, cybercriminals tricked payroll and human resource officials into disclosing employee names, SSNs and income information. The thieves then attempted to file fraudulent tax returns for tax refunds.

What to Watch For in Spoofing Emails

The following are some examples of what may be contained in the spoofing email:

  • Kindly send me the individual [year] W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for [year], I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

The email scam is making its way across the nation for a second time, with the IRS urging company payroll officials to double check any executive-level or unusual requests for lists of Forms W-2 or Social Security numbers.


Protecting Your Company from Spoofing Email Cyberattacks

To reduce the likelihood of being victimized by business email compromises, consider adopting these practices suggested by Ballard Spahr LLP:

  1. Adopt safe internal policies and procedures.

    Prohibit or severely restrict the transmission of employee W-2 data by email.

  2. Use technical controls.

    Focus these controls on anti-phishing, data loss prevention, and digital rights management of files containing W-2 information.

  3. Encrypt W-2 Information.

    If you must email something, be sure it is encrypted and that the decryption key is not included in or transmitted by email.

  4. Require multi-factor authentication (2FA).

    If you get an email request for an employee's W-2 or other sensitive data, require 2FA such as telephone or face-to-face confirmation of the email request or provision of a verbal verification code known only to the parties before the data is transmitted or the decryption key provided.

  5. Provide employee training.

    Train employees to spot schemes and adhere to company policies and procedures regarding sensitive data.

For more information, please contact your certified HR expert. Not a current Stratus HR client? Book a free consultation and our team will contact you shortly.

Similar posts