How Do W-2 Scams Steal Employee Data?

W-2 scams are a form of business email compromise in which an attacker impersonates a company executive and emails an HR or payroll employee requesting W-2 tax forms for the entire workforce. The targeted employee, believing the request comes from leadership, sends names, home addresses, Social Security numbers, and salary data directly to the attacker. Criminals then file fraudulent tax returns, open credit lines, or sell complete identity profiles on dark web marketplaces.

---

What is a W-2 scam?

A W-2 scam is a targeted social engineering attack in which a cybercriminal impersonates a CEO, CFO, or other senior executive and sends an email to an employee in payroll, HR, or finance requesting copies of employee W-2 tax forms. The IRS has described it as one of the most dangerous phishing email campaigns in the tax community.

W-2 scams are a subcategory of business email compromise (BEC). The FBI defines BEC as a sophisticated scam targeting businesses and individuals who perform legitimate transfer-of-funds requests, carried out by compromising legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds or information.

Unlike traditional data breaches in which hackers infiltrate systems through technical exploits, W-2 scams bypass every layer of perimeter security by exploiting human trust. No malware is deployed. No firewalls are breached. The attack succeeds when a single employee responds to what appears to be a routine email from a known authority figure.

A W-2 form (Wage and Tax Statement) is issued annually by employers to employees and contains the following personally identifiable information (PII):

• Full legal name
• Home address
• Social Security number
• Employer Identification Number (EIN)
• Annual wages and compensation
• Federal, state, and local tax withholdings
• Benefits contributions

This combination of data points constitutes a complete identity package. A single compromised W-2 provides everything an attacker needs to impersonate the victim for financial fraud, tax fraud, and long-term identity theft.

---

Why do W-2 scams matter?

W-2 scams matter because they expose every employee in an organization in a single incident, create cascading financial and legal consequences, and remain one of the most reliably successful attack vectors in cybercrime. The data supports the severity of this threat across multiple dimensions.

Financial impact

Business email compromise, the parent category of W-2 scams, generated $2.77 billion in reported losses across 21,442 incidents in 2024, according to the FBI Internet Crime Complaint Center (IC3). Since the IC3 began tracking BEC as a category in 2015, cumulative reported losses have exceeded $17.1 billion. BEC was the second most costly cybercrime category in 2024, behind only investment fraud.

Total reported cybercrime losses reached $16.6 billion in 2024, a 33% increase from $12.5 billion in 2023. The average loss per reported cybercrime incident rose from $14,197 to $19,372.

Phishing, the delivery mechanism for most W-2 scams, remained the most reported cybercrime in 2024, with 193,407 complaints. Phishing-related financial losses nearly quadrupled year over year, rising from $18.7 million in 2023 to $70 million in 2024.

Scale and frequency

The Association for Financial Professionals reported in its 2025 Fraud and Control Survey that 63% of organizations experienced BEC attacks in 2024. W-2 scam activity surges seasonally, with the highest concentration of attacks occurring between January and April during tax filing season. The CyberRisk Alliance documented a 130% increase in W-2 fraud attempts between December 2023 and January 2024.

W-2 scams first appeared in February 2016 and have since targeted every type of organization: large corporations, small businesses, public school systems, universities, hospitals, nonprofits, government agencies, and government contractors.

Consequences beyond financial loss

A successful W-2 scam triggers a chain of consequences that extends well beyond the initial data theft:

For employees: Fraudulent tax returns filed in their names, delayed legitimate refunds, unauthorized credit accounts, long-term credit damage, and the burden of resolving identity theft that can take months or years.

For employers: Mandatory breach notification under state and federal law, potential class action lawsuits from affected employees, regulatory penalties, increased cyber insurance premiums, reputational damage, and operational disruption during investigation and remediation.

Legal precedent: In Curry v. Schletter Inc. (W.D.N.C. 2018), a federal court ruled that an employee sending W-2 data in response to a phishing email constituted an "intentional disclosure" under the North Carolina Identity Theft Protection Act, exposing the employer to treble (triple) damages. This precedent significantly increases the financial liability for organizations that fail to implement adequate training and controls.

---

How does a W-2 scam attack work?

W-2 scams follow a structured attack chain that exploits authority, urgency, and routine workplace communication. Each step is designed to minimize suspicion and maximize the likelihood of compliance.

Step 1: Reconnaissance

The attacker gathers intelligence on the target organization using publicly available sources. Company websites reveal executive names and organizational structure. LinkedIn profiles identify HR directors, payroll managers, and finance staff by name and title. Press releases, earnings calls, and social media posts disclose executive travel schedules, corporate events, and reporting cycles.

The IRS has noted that attackers conduct thorough research to ensure their requests align with the real job responsibilities of both the impersonated executive and the targeted employee. A phone call to a busy assistant can confirm the name of the person who handles payroll. A review of the company's About page provides executive headshots and bios that add credibility to spoofed communications.

Step 2: Email spoofing and impersonation

The attacker crafts an email designed to appear as though it originates from a senior executive, typically the CEO, CFO, or a direct supervisor of the targeted employee. Common spoofing techniques include:

Display name spoofing: The attacker sets the sender display name to match the executive's name while using a different email address. Many email clients display only the name by default, especially on mobile devices.

Lookalike domains: The attacker registers a domain that closely resembles the organization's real domain. Common techniques include substituting visually similar characters ("rn" for "m," "1" for "l"), adding prefixes or suffixes ("company-hr.com" instead of "company.com"), or using alternate top-level domains (".co" instead of ".com").

Compromised accounts: In more sophisticated attacks, the criminal gains access to the executive's actual email account through credential phishing or password reuse, making the spoofed message indistinguishable from legitimate correspondence.

Step 3: Initial contact

The IRS has documented that attackers frequently begin with a low-stakes message to establish a conversational thread before making the data request. A typical opening might read: "Hi, are you working today?" or "Are you available? I need something handled quickly."

This initial contact serves two purposes. It confirms the target is responsive and creates a context of normal interaction that makes the subsequent request feel like a natural continuation rather than an isolated, suspicious demand.

Step 4: The data request

Once the conversational thread is established, the attacker sends the primary request for W-2 data. The IRS has provided examples of actual language used in these attacks:

• "Kindly send me the individual 2025 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review."
• "Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?"
• "I need the W-2 copies for all employees sent to me in PDF format before end of day."

The language is typically polite, direct, and professional. The request is framed as routine and within the normal scope of executive authority. Urgency is conveyed through references to deadlines, audits, board reviews, or tax compliance requirements.

Step 5: Data exfiltration

The targeted employee compiles the requested W-2 data, often as an unencrypted PDF, spreadsheet, or CSV file, and sends it directly to the attacker via email. Because the email contains no malicious links, attachments, or code, it passes through spam filters and antivirus software without triggering any alerts.

The IRS has emphasized that this type of attack is particularly dangerous because it relies on well-researched and carefully crafted emails that do not alert antivirus software or spam filters. Once the email reaches an employee's inbox, detection depends entirely on that individual's judgment.

Step 6: Monetization

The IRS confirms that criminals who successfully steal W-2 forms immediately attempt to monetize the theft through multiple channels:

Tax refund fraud: Attackers file fraudulent federal and state tax returns using stolen SSNs and income data, claiming refunds before the legitimate employees file their own returns.

Dark web resale: Complete identity packages containing names, SSNs, addresses, and income data are sold to other criminals on dark web marketplaces. A single W-2 record can sell for $20 to $50, making a bulk theft of hundreds or thousands of records highly profitable.

Credit and loan fraud: Attackers use stolen identities to open credit cards, take out personal loans, or establish new financial accounts in victims' names.

Ongoing identity exploitation: Stolen PII enables long-term fraud including medical identity theft, synthetic identity creation, and employment fraud.

Step 7: Delayed discovery

Because W-2 scams involve routine email communication rather than system intrusions, detection is often significantly delayed. The IRS and security researchers have noted that some organizations do not realize they have been compromised for days, weeks, or even months after the incident. Discovery frequently occurs only when employees report rejected tax returns or unexpected IRS correspondence.

---

What are real examples of W-2 scam incidents?

W-2 scams have affected organizations across every sector and size. The following documented cases illustrate the range and severity of these attacks.

Schletter Inc. (2016)

An employee at Schletter Inc., a North Carolina-based solar mounting manufacturer, received an email that appeared to come from a supervisor requesting W-2 tax information for verification purposes. The employee responded with an unencrypted file containing the personal information of approximately 200 employees.

Affected employees sued the company. In Curry v. Schletter Inc. (W.D.N.C. 2018), the federal court ruled that the email response constituted an "intentional disclosure" rather than an inadvertent data breach, exposing Schletter to potential treble damages under the North Carolina Identity Theft Protection Act. The court's reasoning established a significant precedent: employers who fail to train employees against known phishing threats face enhanced liability when those employees voluntarily disclose data in response to fraudulent requests.

American senior communities (2017)

In January 2017, a payroll processor at American Senior Communities, a nursing home chain, received an email that appeared to come from a company official requesting W-2 tax information. The employee sent the data to what turned out to be an offshore phishing operation, compromising the W-2 records of more than 17,000 current and former employees.

The exposed information included every data element contained on an IRS Form W-2: names, addresses, Social Security numbers, income, and tax withholding details for the entire workforce.

Seagate Technology (2016)

In March 2016, Seagate Technology disclosed that an employee had emailed the 2015 W-2 forms of all current and former employees to an attacker impersonating a company executive. The breach affected approximately 10,000 employees. Seagate subsequently faced a class action lawsuit from affected employees.

Sprouts Farmer's Market (2016)

Sprouts Farmer's Market confirmed in 2016 that employee W-2 data was compromised through a phishing email impersonating a company executive. The attacker requested and received W-2 records for the grocery chain's workforce.

Broader pattern

At the peak of W-2 scam activity in 2016 and 2017, security journalist Brian Krebs reported receiving notifications of nearly one new W-2 phishing victim per day. Targets included EWTN Global Catholic Network, Moneytree, and numerous school districts, hospitals, and municipal governments. A government cybersecurity contractor also fell victim, exposing the W-2 data of its entire employee base.

---

How can you detect a W-2 phishing email?

The following detection checklist provides a systematic framework for evaluating any email that requests W-2 data, employee PII, or bulk personnel records.

Sender verification

• Does the reply-to address exactly match the executive's verified email address, character for character?
• Is the email domain the organization's primary domain, or a variation with added characters, substituted letters, or a different top-level domain?
• Does the email header show a different originating domain than the display name suggests?

Request analysis

• Has this executive ever directly requested bulk W-2 data by email before?
• Does the request align with established organizational procedures for handling tax records?
• Is the request for all employee records rather than a specific individual's information?

Urgency and pressure indicators

• Does the email create artificial time pressure ("I need this by end of day," "urgent request")?
• Does the message discourage consultation with others ("keep this between us," "do not share with anyone")?
• Does the request bypass normal approval chains or documented procedures?

Communication pattern analysis

• Did the request arrive exclusively by email with no prior verbal discussion?
• Does the writing style, tone, greeting, or signature block differ from the executive's typical communication?
• Was the email sent at an unusual time (late night, weekend, holiday)?

Timing context

• Did the email arrive during peak tax season (January through April)?
• Is the executive currently traveling, at a conference, or otherwise unavailable for in-person verification?
• Does the timing coincide with payroll processing deadlines?

Technical indicators

• Do the email headers show SPF, DKIM, or DMARC authentication failures?
• Does the message contain unusual formatting, fonts, or encoding inconsistencies?
• Is the email threaded into an existing conversation, or does it start a new thread mimicking prior correspondence?

If any indicators are present, do not respond to the email. Verify the request through a separate, independent communication channel.

---

What steps prevent W-2 scams?

Effective W-2 scam prevention requires layered controls that combine policy, training, and technical safeguards. No single measure is sufficient because the attack exploits human behavior, not technical vulnerabilities.

Policy controls

Establish mandatory verification procedures. The FBI recommends that organizations require verbal or in-person confirmation before any employee W-2 data, Social Security numbers, or bulk personnel records are shared. Require dual authorization from two separate individuals before any bulk PII transmission.

Restrict data access. Limit the number of employees who can access and transmit W-2 records. The smaller the group with access, the smaller the attack surface and the easier it is to enforce verification procedures.

Prohibit PII transmission by email. Implement a policy that employee tax records and PII are never transmitted via unencrypted email under any circumstances, regardless of who requests them. Direct all W-2 distribution through secure, authenticated portals.

Document and communicate procedures. Ensure all HR, payroll, and finance staff have written procedures for handling W-2 requests. Make clear that no executive, regardless of seniority, is authorized to override these procedures by email.

Training and awareness

Conduct regular security awareness training. Train HR, payroll, and finance staff specifically on W-2 scam tactics, including real examples of phishing language documented by the IRS. Update training annually as attack techniques evolve.

Run phishing simulations. Conduct realistic W-2 phishing simulations during tax season to test employee readiness. Use results to identify vulnerabilities and target additional training.

Brief leadership. Ensure executives understand that their identities are being used in these attacks and that they should expect verification calls from staff who receive unusual requests under their name.

Technical controls

Deploy email authentication protocols. NIST Special Publication 800-177 (Trustworthy Email) recommends implementing SPF, DKIM, and DMARC for all organizational domains. CISA Binding Operational Directive 18-01 requires federal agencies to implement these protocols. Setting DMARC policy to "reject" provides the strongest protection against external domain spoofing.

Enable multi-factor authentication. Require MFA on all email accounts, with priority on accounts belonging to executives and employees with access to sensitive payroll and HR systems. MFA significantly reduces the risk of account takeover that enables internal impersonation.

Implement email filtering and analysis. Deploy email security tools that analyze sender behavior, detect display name spoofing, flag lookalike domains, and identify anomalous communication patterns. Solutions that examine email headers for authentication failures and compare sender metadata against known organizational contacts provide an additional layer of defense.

Monitor for lookalike domain registrations. Use brand protection services to detect when domains resembling your organization's primary domain are registered. Early detection enables proactive blocking and employee alerts before attacks launch.

Encrypt sensitive data. Require encryption for any file containing employee PII. Use organizational file-sharing platforms with access controls rather than email attachments for transmitting sensitive records.

---

What should you do if a W-2 scam succeeds?

Speed is critical when responding to a successful W-2 scam. The IRS, FBI, and FTC have published specific guidance for organizations that have lost employee data to these attacks.

Immediate actions (first 24 hours)

Notify the IRS. Email dataloss@irs.gov with "W-2 Data Loss" in the subject line. Include your organization's contact information but do not attach any employee PII. The IRS uses this notification to flag affected SSNs and watch for fraudulent returns.

File an FBI IC3 complaint. Submit a report at ic3.gov regardless of the dollar amount involved. The FBI IC3 Recovery Asset Team works with financial institutions and law enforcement to freeze funds in BEC cases and reported a 66% success rate in 2024.

Notify state tax agencies. Email the Federation of Tax Administrators at StateAlert@taxadmin.org to report the breach to the appropriate state taxing authorities.

File a law enforcement report. Report the incident to local law enforcement and retain the report number for documentation purposes.

Employee notification and support

Alert affected employees immediately. Timely notification enables employees to take protective action before attackers can exploit their data. Provide clear, specific information about what data was compromised and what steps employees should take.

Provide employee guidance. Direct affected employees to:

• File an IRS Identity Theft Affidavit (Form 14039)
• Place a fraud alert or credit freeze with all three credit bureaus (Equifax, Experian, TransUnion)
• Review their credit reports at AnnualCreditReport.com
• Report identity theft at IdentityTheft.gov (FTC)
• Review IRS Publication 5027 (Identity Theft Information for Taxpayers) and Publication 4524 (Security Awareness for Taxpayers)
• File tax returns as early as possible to reduce the window for fraudulent filings

Offer identity protection services. Provide credit monitoring and identity theft protection at no cost to affected employees. Several states, including California, require a minimum of 12 months of coverage following a data breach.

Investigation and remediation

Preserve all evidence. Retain the original phishing email with full headers, all related correspondence, and a complete timeline of the incident. Do not alter or delete any evidence.

Conduct a root cause analysis. Determine how the attack bypassed existing controls. Assess whether the organization had adequate training, verification procedures, email authentication, and access restrictions in place.

Check for ongoing compromise. Review email accounts for unauthorized forwarding rules, deleted items, or signs of continued access. Attackers sometimes maintain persistent access to monitor recovery efforts.

Engage legal counsel. Consult with legal counsel on breach notification obligations, which vary by state and may carry specific timelines and content requirements. The Schletter precedent demonstrates that organizations face potential enhanced liability if they lacked reasonable preventive measures.

Contact cyber insurance. If applicable, notify your cyber insurance carrier to initiate the claims process. Cyber policies typically cover breach notification costs, forensic investigation, identity protection services, legal defense, and regulatory penalties.

Process improvement

Update verification procedures based on the specific techniques used in the attack.

Brief all staff on how the attack succeeded and what changes have been implemented.

Increase simulation frequency during the subsequent tax season.

Evaluate technical controls to determine whether additional email security measures would have detected or prevented the attack.

---

Frequently Asked Questions about W-2 scams

When do W-2 scams typically occur?

W-2 scams surge between January and April during tax filing season, when requests for tax documents are expected and less likely to raise suspicion. The CyberRisk Alliance documented a 130% increase in W-2 fraud attempts between December 2023 and January 2024. However, attacks can occur at any time of year, particularly against organizations that process tax records outside the traditional filing window.

Who is most targeted by W-2 scams?

W-2 scams primarily target employees in HR, payroll, and finance departments who have access to employee tax records and are accustomed to processing requests from senior leadership. The FBI notes that these attacks have hit organizations of every size and type, including Fortune 500 corporations, small businesses, public schools, universities, hospitals, nonprofits, and government agencies. No organization is immune.

Can email security software stop W-2 scams?

Email security software can detect some W-2 scam indicators, including failed SPF/DKIM/DMARC authentication, lookalike domain usage, and display name spoofing. However, W-2 scams that use compromised legitimate accounts or pass technical authentication checks may bypass automated filters. The IRS has specifically noted that these attacks often evade antivirus software and spam filters because they contain no malicious code, links, or attachments. Effective defense requires combining technical controls with employee training and verification procedures.

What should an employee do if they already sent W-2 data?

If an employee has already transmitted W-2 data in response to a suspected scam, the organization should immediately email dataloss@irs.gov with "W-2 Data Loss" in the subject line, file a complaint with the FBI IC3 at ic3.gov, notify state tax authorities through StateAlert@taxadmin.org, and alert all affected employees so they can place fraud alerts, freeze credit, file IRS Form 14039, and monitor their accounts. Speed is critical because attackers attempt to monetize stolen W-2 data immediately.

How is a W-2 scam different from a data breach?

In a traditional data breach, attackers infiltrate computer systems to extract data without authorization. In a W-2 scam, an employee voluntarily sends the data in response to a fraudulent request. This distinction has legal significance. In Curry v. Schletter Inc., the court distinguished between a data breach (unauthorized system infiltration) and a data disclosure (intentional response to a spoofed email), ruling that the latter could expose the employer to enhanced damages under state identity theft protection laws.

---

Executive summary

W-2 scams are business email compromise attacks in which criminals impersonate company executives to trick HR and payroll employees into sending employee W-2 tax forms. The stolen data, which includes Social Security numbers, home addresses, and salary information, is used to file fraudulent tax returns, open credit lines, and sell complete identities on dark web markets.

BEC attacks generated $2.77 billion in reported losses in 2024 according to the FBI IC3, with cumulative losses exceeding $17.1 billion since 2015. W-2 fraud attempts increased 130% entering the 2024 tax season. Real-world incidents have exposed the data of entire workforces, from 200 employees at Schletter Inc. to over 17,000 at American Senior Communities.

Defense requires layered controls: mandatory verbal verification for any PII request, restricted data access, email authentication (SPF, DKIM, DMARC), multi-factor authentication, regular phishing simulations, and clear incident response procedures. Organizations that fail to implement reasonable preventive measures face enhanced legal liability, as established by the Schletter precedent.

If a W-2 scam succeeds, immediately notify the IRS at dataloss@irs.gov, file an FBI IC3 report at ic3.gov, alert affected employees, and engage legal counsel on breach notification obligations.

---

Sources: FBI IC3 2024 Internet Crime Report · IRS Form W-2/SSN Data Theft Advisory (irs.gov) · NIST SP 800-177 Trustworthy Email · CISA BOD 18-01 · Association for Financial Professionals 2025 Fraud and Control Survey · Curry v. Schletter Inc., No. 1:17-cv-0001-MR-DLH (W.D.N.C. 2018) · CyberRisk Alliance W-2 Fraud Data 2024 · Norton LifeLock W-2 Phishing Advisory · Orion S.A. SEC Filing August 2024