W-2 Phishing Scams Increasingly Target Payroll Personnel

The W-2 phishing scam often targets payroll and HR professionals. Learn how to prevent it and what to do if your data is compromised.

Often appearing to be from a corporate executive, it begins with a friendly “Are you working today?” email. But the W-2 phishing scam quickly escalates to a request for W-2 information.

What happens when fraudsters succeed? “Cybercriminals who successfully steal W-2 forms immediately attempt to monetize their thefts,” notes the IRS. “Criminals may immediately attempt to file fraudulent tax returns claiming a refund. Or, they may sell the data on the internet’s black market sites to others who file fraudulent tax returns or use the names and SSNs to create other crimes.”

Here’s what finance leaders need to know about avoiding W-2 phishing scams and limiting the damage if one should occur.


Any employee — especially in this case HR or payroll staff — who has access to sensitive information should receive regular training and updates on phishing scams and how to avoid them. The IRS notes, for example, that it “never initiates contact with taxpayers by email, text messages or social media channels to request personal or financial information. Any contact from the IRS will be in response to a contact initiated by you. Cybercriminals, when they learn of a new IRS process, often create false IRS websites and IRS impersonation emails.”

In addition, cybersecurity experts strongly recommend auditing and potentially reducing the number of employees with access to W-2 and other sensitive information. The more people with access, the greater the risk of falling victim to a scam.

Mitigating Losses

In the unfortunate event that employee information has been compromised, speed is of the essence. As soon as you believe that you may be a victim of a W-2 phishing scam, the IRS recommends emailing dataloss@irs.gov to alert them of a W-2 data loss. Putting “W-2 Data Loss” in the subject line will help ensure that the email ends up in the right place. In the email, make sure to include the following information:

Business name
Business employer identification number (EIN) associated with the data loss
Contact name
Contact phone number
Summary of how the data loss occurred
Volume of employees impacted
In the email, do not include any employee personally identifiable information.