W-2 Attacks

W-2 attacks are a type of business email compromise (BEC) wherein a bad actor uses email to fool an unsuspecting individual into sending U.S. Internal Revenue Service W-2 Forms, containing employee wages and tax information, to a third party.

Why it matters

W-2 attacks usually involve a bad actor spoofing the visible ‘From’ field to match the email address of a trusted colleague. With no reliable way to validate whether the email is from the impersonated sender, the target assumes it is a valid message.

Without this sender authentication, the attacked individual is fooled into sending the employee tax records, which typically include Personally Identifiable Information (PII) such as:

  • Address – employee home address
  • Full name – employee first and last name
  • Salary – employee wage and bonus information
  • Social Security Number – United States taxpayer identification

W-2 attacks can be thwarted if the impersonated entity has adopted DMARC email authentication. DMARC with an enforcement policy blocks these same-domain name attacks with 100 percent effectiveness, because emails from unauthorized individuals are sent to spam folders or deleted before delivery.