It’s Tax Season, and W-2 Scams Are On the Rise

Last month the Federal Bureau of Investigation issued a warning that should make every corporate accounting professional and cybersecurity professional sit up and take notice.

W-2 scams, already one of the leading types of business email compromise, or BEC, are on the rise this year, the FBI cautioned:

Beginning in January 2017, IRS’s Online Fraud Detection & Prevention (OFDP), which monitors for suspected IRS-related phishing emails, observed an increase in reports of compromised or spoofed emails requesting W-2 information. …

The most popular method remains impersonating an executive, either through a compromised or spoofed email in order to obtain W-2 information from a Human Resource (HR) professional within the same organization.

IRS form W-2This kind of attack is almost devilishly simple. All the attacker needs to do, in most cases, is put a fake email address in the “from” field of their message, making it look like it comes from a company executive. The “reply-to” field, however, lists an address controlled by the hacker. The hacker then crafts the body of the message to look like a legitimate request for employee W-2 forms, and sends it to a target within the organization, such as a lower-level accounting professional or bookkeeper, who is likely to respond quickly to the apparent executive’s “urgent” request.

If the target doesn’t spot the scam and replies to the message with the requested W-2s, their reply — and all that employee data — will be sent to the hacker’s email address.

This Is Serious

This might not sound as bad as other kinds of BEC attacks that try to induce targets to wire money to an offshore account controlled by the hacker. After all, no money is lost in the W-2 fraud.

But what is lost is valuable employee information, including full legal names, mailing addresses, Social Security numbers, and salary information. That can lead to further corporate compromise as well as identity theft directed at your employees.

It might also open your company up to legal action from employees who may be justifiably upset that you didn’t do more to protect their personal data. At least one company, Seagate, got sued by its employees after its HR department got hit by a W-2 scam and handed over data for current and former staffers.

How to Protect Your Company

The FBI has some tips in its post on what to do if you spot a W-2 scam, and how to respond. But one of the best ways to avoid this scam is to close down the easiest avenue of attack: The spoofed email.

You can do that by configuring email authentication for your company’s domains, and setting it to an enforcement status. Do that, and mail servers worldwide will reject any senders that use your domains in the From fields of your messages, but which haven’t been explicitly authorized by you.

Are there other ways to trick employees into handing over W-2 forms? Of course. But email authentication with DMARC makes the most devious and hard-to-detect attacks impossible, and it’s where you should start.

Find out if your company’s domain is vulnerable right now. And if it is, make sure your IT security staff know about the need for email authentication.


Valimail is an anti-phishing company that has been driving the global trustworthiness of digital communications since 2016, with the only comprehensive platform for stopping fake email, protecting brands, and helping ensure compliance. Valimail has won multiple cybersecurity technology awards and authenticates billions of messages a month for some of the world's biggest companies, including Uber, Fannie Mae, WeWork, and the U.S. Agency for International Development. Valimail is based in San Francisco. For more information visit