The most popular time of the year for W-2 related cyber attacks is during tax season. Phishing emails will often request employees to provide W-2s by return email. Read this blog post to learn more.


The most likely cyber attack a company will face will come in the form of an email. One of the most common forms of email attack is the business email compromise (BEC), and the most popular time of the year for the W-2 version of BEC is right now — tax season.

A BEC attack involves attackers sending emails disguised as coming from high-level executives within a company, such as the CEO, to lower level personnel. During tax season, the spoof email will often request that W-2s for employees be provided by return email.

While the email looks identical to the executive’s email, it is coming from — and then returned to — the criminal, not the executive, along with the W-2s and the personal information associated with the documents.

If an employee falls for the scam, the company now has experienced a serious data breach and must comply with certain legal requirements. Worse yet, the company’s employees’ sensitive personal information has been given to the attackers and they have this problem to worry about instead of performing their job. The disruption is substantial in their personal lives and for the company’s operations.

How do attackers use W-2 information?

In most cases, once the attackers have that W-2 information, they use it to attempt to file fraudulent tax returns for those employees and have their tax refunds sent to them instead of the employee. They also use it for traditional identity theft.

The attackers act very quickly once the information is obtained. In some cases, they have begun to fraudulently use the information on the same day they obtained the W-2 information from the company. Time is truly of the essence in responding to these attacks and legal assistance is necessary for properly responding to these data breach events.

Why do so many attacks happen during tax season?

Law enforcement officers and cybersecurity professionals report a drastic increase in these types of attacks during the beginning of each year because of tax season. This is consistent with what is seen in helping companies with these cases in past years, as well. The reason this type of attack is so common during tax season is because of the tax-related fraud aspect of this type of attack. That is, the attackers monetize their attacks by using the fraudulently obtained information to file fraudulent tax returns and obtain refunds from innocent victims.

And the sooner they can do this, the better their chances are of getting the refund before the taxpayer files and receives their tax refund.

If a company has not yet been targeted, it is likely that it will be very soon so it is important to be prepared.

What can you do to protect your company?

Educating employees is critical because they will be the ones who receive the emails from the attackers.

  • Make them aware of this issue by sharing the information in this article with them so that they understand the threat, how it works and how it could affect them personally.
  • Train them by having appropriate personnel discuss this threat with them and help them understand that they should be very suspicious of any requests to email out anything of this nature (or make payments, such as with the very similar wire transfer version of the BEC).

Have appropriate internal controls in place to protect against these types of attacks. These controls can include:

  • Limit who has access to your company’s W-2s and other sensitive information as well as who has the authority to submit or approve wire payments.
  • Have established procedures in place for sending W-2 information or other sensitive information as well as for submitting or approving wire payments so that dual approvals are required for these activities.
  • Require employees to use an alternative means of confirming the identity of the person making the request. If the request is by email, the employee should talk to the requestor in-person or call and speak to the requestor using a known telephone number to get verbal confirmation. If the request is by telephone or fax (many times they are), then use email to confirm by using an email address known to be correct to confirm with the purported requestor. Never reply to one of these emails or call using a telephone number that is provided in one of these emails, faxes, or telephone calls.

What to do if your company is hit by an attack

  • Immediately contact experienced legal counsel who understands how to guide a company through these incidents and, ideally, has appropriate contacts with law enforcement and the IRS to assist in reporting this incident quickly.
  • Report the incident to the FBI or Secret Service and appropriate IRS investigators so that the IRS can implement appropriate procedures to protect the employees whose information was exposed in the W-2s.
  • Prepare appropriate notifications to the people whose information was exposed and comply with all legal and regulatory reporting requirements. This should be a part of an existing incident response plan. Companies should have such a procedure in place to be better prepared if and when a security breach occurs.
  • Inform employees that the IRS will never contact them directly, for the first time, via email, telephone, text message, social media or any way other than through a written “snail mail” letter.

SOURCE: Tuma, S. (19 February 2019) “4 FAQs about W-2 business email compromise attacks during tax season” (Web Blog Post). Retrieved from https://www.benefitspro.com/2019/02/19/4-faqs-about-w-2-business-email-compromise-attacks-during-tax-season/