How do CEO impersonation attacks steal W-2 data?

The direct answer

CEO impersonation in W-2 requests is a business email compromise (BEC) attack in which a criminal poses as a company executive and emails the HR or payroll department requesting employee W-2 tax forms. W-2 data contains names, addresses, Social Security numbers, and wages, giving attackers everything needed for identity theft and fraudulent tax return filings. The FBI reports BEC losses reached $2.77 billion in 2024, and the IRS lists W-2 phishing among its annual Dirty Dozen tax scams.

---

What is CEO impersonation in W-2 requests?

CEO impersonation in W-2 requests is a targeted form of business email compromise in which an attacker sends an email that appears to come from the CEO, CFO, or another senior executive, directing an HR, payroll, or finance employee to compile and send employee W-2 tax statements.

The email typically uses a spoofed or lookalike executive email address and employs urgency language to pressure the recipient into bypassing normal verification procedures. Because the request appears to come from the highest authority in the organization, employees often comply without questioning it.

W-2 forms are among the most valuable targets in BEC attacks because they contain the complete data set needed for identity theft: full legal names, home addresses, Social Security numbers, employer identification numbers, and annual compensation figures. Criminals use this data to file fraudulent tax returns with the IRS before the real employees file, claiming refunds that can total thousands of dollars per victim.

The FBI classifies W-2 phishing as a specific variant of BEC under its "Data Theft" category, distinct from wire transfer fraud but using identical social engineering techniques (FBI.gov). The IRS includes W-2 phishing in its annual Dirty Dozen list of tax scams and maintains a dedicated reporting channel at dataloss@irs.gov specifically for organizations that have disclosed W-2 data to unauthorized recipients (IRS, 2025).

CEO impersonation targeting W-2 data is the most efficient method for mass identity theft through a single social engineering action.

---

Why does W-2 phishing matter?

The convergence of executive impersonation and tax data theft creates a uniquely damaging attack vector that affects every employee in an organization simultaneously.

BEC losses continue to escalate. The FBI's Internet Crime Complaint Center (IC3) reported $2.77 billion in BEC losses and 21,442 complaints in 2024. Total reported cybercrime losses reached $16.6 billion that year, a 33% increase over 2023 (FBI IC3, 2024 Annual Report). Since January 2015, the FBI has documented a 1,300% increase in identified exposed losses from BEC scams, with cumulative global losses exceeding $26 billion between 2016 and 2019 alone.

W-2 breaches expose entire workforces at once. Unlike wire transfer fraud that targets a single transaction, a successful W-2 phishing attack compromises the personal data of every employee whose tax record is disclosed. When Sprouts Farmers Market fell victim in 2016, approximately 21,000 employees had their W-2 data exposed through a single fraudulent email to the payroll department (Trend Micro, FBI). When Snapchat was targeted the same year, an HR employee sent all employee W-2 data after receiving an email impersonating CEO Evan Spiegel (CNN, Tripwire).

Tax season creates a predictable attack window. The IRS warns that W-2 phishing attacks spike between January and April each year, coinciding with tax filing season. The 2025 Dirty Dozen list specifically highlights phishing and spear phishing targeting both taxpayers and tax professionals (IRS, IR-2025-26). An estimated $9.1 billion was lost to tax-related fraud in 2024 (IRS).

The human element drives the majority of breaches. The Verizon 2025 Data Breach Investigations Report links approximately 60% of breaches to human actions. Hoxhunt's research confirms this pattern: 60% of employees would open and act on an email received from a perceived superior, and organizations that run adaptive phishing simulations see failure rates drop from 11% to below 2% within 12 months (Hoxhunt Phishing Trends Report, 2025).

Small and midsize organizations are disproportionately targeted. While high-profile cases make headlines, the FBI notes that BEC targets "businesses of all sizes." Organizations without dedicated security teams or formalized verification procedures for sensitive data requests are particularly vulnerable.

A single W-2 phishing email can compromise more employee records than most data breaches, making it one of the highest-impact social engineering attacks in cybersecurity.

---

How does a CEO W-2 phishing attack work?

CEO impersonation targeting W-2 data follows a systematic process that exploits organizational trust hierarchies and the time pressure of tax season.

Step 1: Executive reconnaissance

The attacker identifies the target organization's CEO, CFO, or other senior executive through LinkedIn, the company website, press releases, SEC filings, or social media. They collect the executive's full name, email format, communication style, and organizational hierarchy. They also identify the HR director, payroll manager, or controller who handles tax documents.

Step 2: Email infrastructure setup

The attacker creates an email address designed to impersonate the executive. Common techniques include registering a lookalike domain (e.g., company-inc.com instead of companyinc.com), using a free email account with the executive's name as the display name, or in more sophisticated attacks, compromising the executive's actual email account through credential theft. NIST SP 800-177 documents how email spoofing exploits gaps in sender authentication protocols.

Step 3: Crafting the request

The attacker drafts an email that mimics the executive's communication style and creates urgency. The request is typically simple and direct: "I need the 2025 W-2s for all employees sent to me in PDF format as soon as possible." The email often references a plausible business reason such as an audit, board review, insurance renewal, or year-end compliance requirement. AI-generated phishing tools now produce messages with perfect grammar and contextually appropriate tone, eliminating the spelling errors that once served as red flags.

Step 4: Timing the attack

The email is sent during a period of maximum effectiveness, typically early in tax season (January through March) when W-2 requests are routine and expected. Attackers may also time the email for when the real executive is traveling, in meetings, or otherwise unavailable to confirm the request. Hoxhunt's 2026 Threat Intelligence Report documents the increasing use of "fake email chain" techniques, where attackers fabricate prior email threads to make the W-2 request appear to be part of an ongoing conversation.

Step 5: Data exfiltration

If the payroll or HR employee complies, they compile W-2 data for part or all of the workforce and send it to the attacker. The attacker now possesses Social Security numbers, home addresses, wage information, and employer identification numbers for every affected employee. This data is either used directly to file fraudulent tax returns, sold on dark web marketplaces, or leveraged for secondary identity theft schemes including credit applications and loan fraud.

Step 6: Delayed discovery

Because W-2 phishing does not involve a wire transfer that can be quickly flagged by a bank, organizations often do not discover the breach until employees begin reporting rejected tax returns, which can be weeks or months after the data was exfiltrated. The IRS notes that many victims first learn of the compromise when they attempt to file their legitimate tax return and discover that a fraudulent return has already been filed using their Social Security number.

The entire attack chain, from reconnaissance to data exfiltration, can be executed in a matter of hours, while the consequences persist for years.

---

What are real cases of CEO W-2 phishing?

Snapchat (February 2016)

An employee in Snapchat's HR department received an email that appeared to come from CEO Evan Spiegel, requesting W-2 data for all current and former employees. The employee complied and transmitted the complete payroll dataset before the company identified the email as fraudulent. Snapchat publicly disclosed the incident, apologized to affected employees, and offered two years of free identity theft insurance and monitoring. The company reported the breach to the FBI (CNN, multiple security outlets, 2016).

Sprouts Farmers Market (March 2016)

A payroll department employee at Sprouts Farmers Market received an email impersonating a company executive requesting 2015 W-2 statements for the entire workforce. The employee compiled and sent the records, exposing approximately 21,000 employees' tax data. Sprouts spokeswoman Donna Egan confirmed: "Sprouts is working with the FBI and the IRS to investigate this crime and to determine the best ways to protect team member tax information." The company provided one year of free credit monitoring to affected employees (Trend Micro, 2016).

Seagate Technology (March 2016)

A Seagate employee sent W-2 data for all current and former employees to an attacker impersonating a company executive. The breach affected approximately 10,000 employees and exposed names, Social Security numbers, salaries, and addresses. Seagate notified the IRS and FBI and offered identity protection services to affected employees.

Broader pattern

The IRS documented a sharp increase in W-2 phishing reports during the 2016 and 2017 tax seasons, issuing an urgent alert in February 2017 warning employers that W-2 phishing had expanded from large corporations to include school districts, nonprofits, healthcare organizations, chain restaurants, and tribal organizations. The FBI's IC3 noted that these attacks followed a nearly identical playbook across all industries: an email impersonating the CEO or CFO, sent to payroll or HR, requesting W-2 data with urgency language.

These breaches demonstrate that W-2 phishing succeeds not because of technical sophistication but because of organizational trust in executive authority.

---

How do you detect a CEO W-2 phishing Email?

W-2 phishing emails are designed to exploit authority and urgency. Use this detection checklist to identify fraudulent requests before data is disclosed.

Sender address verification. Examine the full email address, not just the display name. Lookalike domains (company-inc.com vs. companyinc.com) and free email accounts (ceo.name@gmail.com) are immediate red flags. Check whether the email originates from an internal domain or an external one.

Unusual request channel. Has this executive ever previously requested W-2 data via email? If W-2 data is normally handled through a secure HR system or formal process, an email request should trigger immediate suspicion regardless of the apparent sender.

Urgency and confidentiality language. Phrases such as "send immediately," "keep this confidential," "do not discuss with anyone," or "I need this before end of day" are social engineering pressure tactics designed to prevent the recipient from verifying the request through normal channels.

Timing alignment. W-2 phishing peaks between January and April. An unexpected W-2 request outside of normal processing windows, or one that arrives when the executive is known to be traveling or in an all-day meeting, warrants additional scrutiny.

Scope of the request. Legitimate executive requests for tax data are typically specific and channeled through established procedures. A request for "all employee W-2s" in a single email, without reference to a specific business process or system, is a strong indicator of fraud.

Reply-to address mismatch. Check whether the reply-to address matches the sender address. Attackers frequently configure the reply-to field to direct responses to an external account they control, even when the display name and from address appear legitimate.

Missing email authentication markers. If your organization has implemented SPF, DKIM, and DMARC, check whether the email passed authentication. Legitimate internal emails should pass all three checks. External emails impersonating internal addresses should fail DMARC alignment.

The most reliable detection rule for W-2 requests is simple: any email requesting bulk employee tax data requires verbal verification through a separate communication channel before any action is taken.

---

How do you prevent CEO W-2 phishing attacks?

Preventing W-2 phishing requires layering organizational policy, technical controls, and employee training into a defense framework that eliminates single points of failure.

1. Establish a formal W-2 data handling policy

Create a written policy that explicitly prohibits the transmission of W-2 data via email under any circumstances. Define approved channels for W-2 distribution (e.g., secure HR portal, encrypted file transfer) and require dual authorization for any bulk disclosure of employee tax data. Document this policy and ensure every employee in HR, payroll, and finance has acknowledged it in writing.

2. Implement mandatory out-of-band verification

Require that any request for employee tax data, regardless of the apparent sender, be verified through a separate communication channel before action is taken. This means calling the executive at a known phone number (not a number provided in the email) or confirming in person. The FBI specifically advises: "Don't rely on e-mail alone" (FBI.gov).

3. Deploy email authentication protocols

Implement SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) at enforcement level (p=reject or p=quarantine). NIST SP 800-177 provides comprehensive implementation guidance. These protocols prevent external attackers from sending emails that appear to originate from your organization's domain.

4. Enable AI-powered email security

Traditional rule-based email filters miss sophisticated BEC attacks because these emails contain no malware, no malicious links, and no attachments. Behavioral AI tools that analyze sender patterns, communication relationships, message intent, and linguistic anomalies detect impersonation attempts that signature-based filters cannot. Deploy a solution that flags emails where the display name matches an internal executive but the sending domain is external.

5. Run targeted phishing simulations

Generic phishing training does not adequately prepare employees for BEC attacks. Run simulations that specifically replicate CEO impersonation scenarios requesting W-2 or other sensitive data. Hoxhunt's research demonstrates that organizations running adaptive phishing simulations see failure rates plummet by 5.5x within 12 months, and that CEO money-transfer requests are among the scenarios with the highest reporting rates when employees are properly trained (Hoxhunt Phishing Trends Report, 2025). Include simulations with fake email thread techniques, which Hoxhunt's 2026 Threat Intelligence Report identifies as an increasing tactic in real-world campaigns.

6. Restrict W-2 access and distribution

Limit the number of employees who have access to bulk W-2 data. Apply the principle of least privilege so that only designated payroll personnel can generate and distribute W-2 statements, and only through approved secure channels. Configure HR systems to log and alert on any bulk export of employee tax records.

7. Implement phishing-resistant multi-factor authentication

Protect executive email accounts with FIDO2/WebAuthn hardware security keys rather than SMS or app-based MFA, which are increasingly bypassed by adversary-in-the-middle attacks. NIST SP 800-63B recommends phishing-resistant MFA for high-value accounts. A compromised executive email account transforms a BEC attack into an account takeover with far higher success rates.

8. Conduct tax season security briefings

Before each tax season (December through January), conduct targeted security briefings for all HR, payroll, and finance staff. Review the W-2 data handling policy, share examples of current phishing lures from the IRS Dirty Dozen list, and reinforce the out-of-band verification requirement. The IRS's annual National Tax Security Awareness Week provides ready-made educational resources.

Organizations that combine written policy, out-of-band verification, email authentication, behavioral AI, and adaptive training create a defense that no single phishing email can penetrate.

---

What should you do if your organization falls victim to a W-2 phishing attack?

Speed is critical. The window between data disclosure and fraudulent tax return filing can be as short as 24 to 48 hours. Follow this incident response sequence.

Immediate actions (first 24 hours)

Notify the IRS. Email dataloss@irs.gov with "W-2 Data Loss" in the subject line. Include the organization's name, EIN, contact information, the number of employees affected, and a summary of how the breach occurred. The IRS uses this notification to flag affected Social Security numbers and monitor for fraudulent returns. Forward any phishing emails received to phishing@irs.gov.

Report to the FBI. File a complaint with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov. Include all available information about the fraudulent email, including headers, sender addresses, and the timeline of events.

Notify state tax agencies. Email the Federation of Tax Administrators at statealert@taxadmin.org to alert state revenue agencies that employee tax data has been compromised. Each state has its own identity theft procedures, and early notification helps prevent fraudulent state return filings.

Preserve evidence. Do not delete the phishing email or any related communications. Capture full email headers, server logs, and any records of the data that was transmitted. This evidence is essential for law enforcement investigation and potential legal proceedings.

Employee notification (within 48 to 72 hours)

Notify all affected employees. Provide clear, factual communication about what data was exposed, when the breach occurred, and what specific steps employees should take. Avoid minimizing the incident.

Instruct employees to file IRS Form 14039. The Identity Theft Affidavit alerts the IRS that the employee may be a victim of tax-related identity theft. Employees should file this form even if they have not yet experienced fraudulent activity.

Recommend filing tax returns immediately. Employees should file their legitimate tax returns as quickly as possible to preempt fraudulent filings. An Identity Protection PIN (IP PIN) can be obtained from the IRS for additional security on future returns.

Provide credit monitoring and identity protection. Offer at minimum one year of credit monitoring through a reputable provider. Recommend that employees place fraud alerts or credit freezes with the three major credit bureaus (Equifax, Experian, TransUnion).

Organizational remediation

Conduct a root cause analysis. Determine how the phishing email bypassed existing controls, why the employee complied without verification, and what policy or technical gaps enabled the breach.

Implement corrective controls. Based on the root cause analysis, implement the specific prevention measures outlined in the prevention section above. At minimum, establish a formal W-2 data handling policy with mandatory out-of-band verification.

Document and report. Maintain a complete incident record for regulatory compliance, insurance claims, and potential litigation. Depending on jurisdiction and organization size, breach notification laws may require disclosure to state attorneys general or regulatory bodies within specific timeframes.

The difference between a contained incident and a catastrophic one is measured in hours, not days.

---

Frequently Asked Questions

What makes W-2 data more valuable than credit card numbers to attackers?

W-2 data contains Social Security numbers, which are permanent identifiers that cannot be reissued like credit card numbers. A stolen credit card can be canceled within hours, but a compromised Social Security number enables ongoing identity theft for years, including fraudulent tax returns, credit applications, loan fraud, and medical identity theft. The IRS estimates billions in annual losses from tax-related identity theft enabled by stolen Social Security numbers.

Why do these attacks target HR and payroll instead of the CEO directly?

HR and payroll employees have direct access to bulk W-2 data and are accustomed to processing data requests from executives. The attack exploits the organizational dynamic where lower-ranking employees are reluctant to question or verify requests from senior leadership, particularly when the request is framed as urgent and confidential. The FBI notes that finance, HR, and payroll departments are the most frequently targeted in BEC attacks.

Can email filters stop CEO W-2 phishing?

Traditional email filters and secure email gateways are largely ineffective against BEC attacks because W-2 phishing emails typically contain no malware, no malicious attachments, and no suspicious links. They are pure social engineering. Behavioral AI tools that analyze sender identity, communication patterns, and message intent offer significantly better detection rates, but no single technical control is sufficient. Organizational policy requiring out-of-band verification remains the most reliable defense.

What should an employee do if they already sent W-2 data before realizing it was a scam?

Immediately notify your IT security team and direct supervisor. The organization should then follow the incident response sequence: report to the IRS at dataloss@irs.gov, file with FBI IC3 at ic3.gov, notify state tax agencies at statealert@taxadmin.org, notify all affected employees, and instruct them to file IRS Form 14039 (Identity Theft Affidavit) and file their legitimate tax returns as quickly as possible.

Does W-2 phishing only happen during tax season?

W-2 phishing peaks during tax season (January through April) because W-2 requests are routine and expected during this period, making fraudulent requests less suspicious. However, the FBI and IRS warn that these attacks can occur at any time of year, particularly disguised as audit requests, insurance documentation needs, or year-end compliance requirements. The IRS's 2025 guidance explicitly notes that Dirty Dozen scams "can be encountered at any time during the year, but they peak during regular and extended tax seasons."

---

Executive summary (TL;DR)

CEO impersonation in W-2 requests is a business email compromise attack where criminals pose as executives and email HR or payroll requesting employee W-2 tax forms. W-2 data contains Social Security numbers, home addresses, and wages, providing everything needed for mass identity theft and fraudulent tax return filings. The FBI reported $2.77 billion in BEC losses in 2024, and real cases including Snapchat (all employee W-2s disclosed), Sprouts Farmers Market (21,000 employees exposed), and Seagate (10,000 employees exposed) demonstrate the scale of damage from a single fraudulent email. Prevention requires a written W-2 data handling policy prohibiting email transmission, mandatory out-of-band verification for all tax data requests, SPF/DKIM/DMARC email authentication, AI-powered email security, and targeted phishing simulations replicating CEO impersonation scenarios. If compromised, immediately report to the IRS at dataloss@irs.gov, file with FBI IC3 at ic3.gov, notify state agencies at statealert@taxadmin.org, and instruct affected employees to file IRS Form 14039 and submit legitimate tax returns as quickly as possible.

---

Sources

• FBI Internet Crime Complaint Center (IC3), 2024 Annual Report, ic3.gov
• FBI, "Business E-Mail Compromise on the Rise," fbi.gov
• IRS, "Dirty Dozen Tax Scams for 2025," IR-2025-26, irs.gov
• IRS, "Reminds Taxpayers and Small Businesses to Look Out for Scams," irs.gov, 2025
• IRS, National Tax Security Awareness Week 2024 and 2025, irs.gov
• IRS, W-2 scam reporting: dataloss@irs.gov; phishing reporting: phishing@irs.gov
• NIST Special Publication 800-177, Trustworthy Email
• NIST Special Publication 800-63B, Digital Identity Guidelines
• Hoxhunt, Phishing Trends Report 2025, hoxhunt.com
• Hoxhunt, Threat Intelligence Report 2026, hoxhunt.com
• CNN, Snapchat W-2 phishing breach reporting, 2016
• Trend Micro, "Data Breach Puts Tax Data of Supermarket Chain's 21,000 Employees at Risk," 2016
• Tripwire, Snapchat W-2 phishing incident analysis, 2016
• Verizon, 2025 Data Breach Investigations Report
• IBM, Cost of a Data Breach Report 2024