W-2 attacks are a type of business email compromise (BEC) wherein a bad actor uses email to fool an unsuspecting individual into sending U.S. Internal Revenue Service W-2 Forms, containing employee wages and tax information, to a third party.
Why it matters
W-2 attacks usually involve a bad actor spoofing the visible ‘From’ field to match the email address of a trusted colleague. With no reliable way to validate whether the email is from the impersonated sender, the target assumes it is a valid message.
Without this sender authentication, the attacked individual is fooled into sending the employee tax records, which typically include Personally Identifiable Information (PII) such as:
- Address – employee home address
- Full name – employee first and last name
- Salary – employee wage and bonus information
- Social Security Number – United States taxpayer identification
W-2 attacks can be thwarted if the impersonated entity has adopted DMARC email authentication. DMARC with an enforcement policy blocks these same-domain name attacks with 100 percent effectiveness, because emails from unauthorized individuals are sent to spam folders or deleted before delivery.