Tax Season and W-2 Phishing

Tax Season and W-2 Phishing

Identity theft and tax refund fraud have been prevalent in United States for some time. Now that tax season is upon us, threat actors will increase their efforts to gain access to employee information on a company-wide scale through targeted phishing campaigns.

According to a recent IRS bulletin, W-2 scams started last year (2016) where payroll and HR officials were scammed into releasing employee information in response to spoofed emails from a company executive. According to CSOonline, 41 organizations were successfully targeted in the first quarter of 2016, compromising W-2 information for all or the majority of the affected employees and company affiliates.

Recently, the Odessa, Missouri school district fell victim to a W-2 phishing scam when employee social security numbers, salaries, and W-2s were given to someone pretending to be the district’s superintendent.

A similar incident also affected the Argyle, Texas school district. An email from their ‘superintendent’ requesting the W-2 forms for all district employees was replied to with the requested information.

The phishing emails typically rely on impersonation of an executive level employee, and will generally come from a free email provider (ex. Yahoo, Gmail). To avoid detection they usually will not contain any malicious attachments or links.

Listing 1 – Email Samples

  • “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me the list of W-2 copy of employees wage and tax statement for 2016. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.
  • “Do you have access to our employee W2 for 2016 files?”

It is imperative that human resources or payroll personnel verify any request for this type of information. Verification should be performed out-of-band via phone or in person with the supposed sender of the request. Verification of the email can also be accomplished through examination of email headers. Headers can generally be pulled by selecting ‘details’ (to the right of the ‘To’ and ‘From’ fields), and selecting ‘view source’ or ‘view original’. Methods can vary between email clients. Instructions for extracting email headers from widely used email clients can be found at:

The Argyle, TX and Odessa, MO cases highlight the importance of training, continuing education on handling tax information, and user awareness about targeted W-2 phishing. A single email has the potential to expose sensitive employee information to cybercriminals.