Protect Yourself Against Tax Season W-2 Phishing Scheme

February 2, 2018

By Jennifer Hart and Kyle Hutnick


Tax season is upon us, and with it comes plenty of opportunities for hackers to obtain sensitive personal information from employers and individual taxpayers. One particularly cunning scheme is a phishing attack designed to lure payroll and HR professionals into exposing personally identifiable information to hackers by way of employees’ W-2 forms. Such forms contain employees’ full names, social security numbers and salary information. Other personally identifiable information can include a driver’s license or state ID card number or an account, credit or debit card number in combination with a security or access code or a password.

Here’s how it works: hackers send an email to a company’s HR staff that purports to come from one of the company’s executives and asks the recipient to respond by sending employees’ W-2 forms. According to the IRS, the language of such emails has included:

  • “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

With that information in hand, cybercriminals can impersonate these taxpayers’ identities, sell the data or file fraudulent tax returns in order to pocket the refunds. Particularly susceptible are small businesses that have fewer security, payroll and HR resources than large corporations, and are more likely to communicate directly with top-level executives.

What can you do to protect yourself against an attack like this one?

  • Educate your HR and payroll staff. Be sure your employees know to never send personally identifiable information over email, even if it appears to come from one of your executives, and to notify the appropriate individuals within your company if a suspicious email arrives in their inboxes. Be proactive about preparing staff for potential phishing attacks, and urge them to always err on the side of caution.
  • Know your reporting requirements. Each state’s reporting requirements vary, but the Ohio Data Breach Notification Law, requires businesses – either for profit or not-for-profit – to promptly investigate a suspected data breach and notify potential victims within 45 days. If the breach impacts more than 1,000 Ohio residents, you must also notify national credit reporting agencies. And act fast if you suspect a breach – the fines for failing to meet these notification requirements are $10,000 per day in the state of Ohio.
  • Protect yourself all year round. Even though this type of attack is most common during tax season, phishing schemes can happen any time of year. Stay informed on the latest types of attacks and have a strategy for data protection.

For more information on how you can protect your company from this and other types of cyberattacks, contact KJK’s Administrative Partner, David Posteraro, at drp@kjk.com or 216.736.7218.

KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.