Skip to content

Scammers Are Phishing for Your W-2 Form

IRS is telling businesses to guard against this costly scheme

W2 income tax form

Getty Images

En español | This week the IRS warned businesses and their employees to beware of scams in which crooks pose as company owners or executives in an attempt to steal valuable tax and personnel information. The thieves can then use the pilfered W-2 data to file false tax returns or sell the information on the dark web, experts say.

“Is it pervasive? Yes,” says Raphael Tulino, an IRS spokesman in San Diego. “We’ve seen a lot of it in the last couple of years, unfortunately.”

A W-2 form lists an employee’s annual wages paid and withholdings for income taxes, Social Security and Medicare. Large companies may have cybersecurity software and other tools aimed at stopping criminals in their tracks, but smaller businesses, too, must be vigilant, says attorney Joseph Lazzarotti, an expert in data security at law firm Jackson Lewis in Morristown, N.J. “You see people get duped for a lot of things,” he notes.

According to the IRS, the scheme usually works this way: A scammer sends an email pretending to be a company executive. The correspondence may begin with an innocuous, “Hey, you in today?” But by the end of the exchange, the impostor asks for a list of employees and their W-2 statements.

For more on how to protect yourself, visit AARP's Fraud Watch Network

The W-2 scam arose in 2016, according to the IRS, which by February 2017 had issued an alert telling businesses that this particular type of phishing scam had spread and that targets included tribal casinos, temporary staffing agencies, chain restaurants, and shipping and freight firms. Phishing is a fraud technique, usually attempted with an unsolicited email, that tries to lure victims into coughing up their personal or financial information.

The IRS says that it has taken multiple steps to weed out phony tax returns and that the W-2 scam is a key way for criminals to try to grab Americans’ refunds. In 2017 the agency estimated that there were 597,000 tax returns filed fraudulently. That’s down from 883,000 confirmed cases in 2016 and 1.4 million in 2015, the IRS said earlier this year. 

According to an IRS estimate, in 2016 between $1.68 billion and $2.31 billion was paid out in refunds that may have been claimed as a result of identity theft. The money is “likely to be unrecoverable,” the agency said in a report. Using data analytics and partnering with software providers and state tax agencies have helped the IRS identify suspicious filings, according to the agency.

Lazzarotti said scams targeting businesses also sometimes feature fictitious wire instructions from a crook (posing as a CEO) who instructs an employee to wire $100,000 to a “client.”

His advice to workers? “Pick up the phone and verify” that the putative CEO’s email is legit.

Lazzarotti also urges employers not to fixate solely on the possibility of W-2s being compromised because employers maintain a variety of sensitive tax and personnel information. “Other types of forms are vulnerable.”