WhHAT TO DO IF W-2s WERE SENT TO A SCAMMER
Step-by-step incident response guide for businesses and employees whose W-2 forms were sent to a scammer. Covers IRS reporting, identity protection, fraud alerts, and prevention strategies.
What to Do If W-2s Were Sent to a Scammer
The direct answer
If W-2 forms were sent to a scammer, act immediately. Email dataloss@irs.gov with the subject line "W2 Data Loss" to notify the IRS. Forward the phishing email to phishing@irs.gov with the subject line "W-2 Scam." File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov. Notify all affected employees so they can place fraud alerts on their credit files, file IRS Form 14039 (Identity Theft Affidavit), and request an Identity Protection PIN. Speed is critical because the IRS may be able to flag fraudulent returns before they are processed.
What is a W-2 phishing scam?
A W-2 phishing scam is a form of business email compromise (BEC) in which a cybercriminal impersonates a company executive and sends an email to payroll, HR, or finance staff requesting employee W-2 data. The IRS has described this attack as one of the most dangerous phishing campaigns in the tax community because it bypasses traditional spam filters and relies entirely on social engineering.
W-2 forms contain everything a criminal needs to commit tax identity theft: full legal names, Social Security numbers, home addresses, and annual income figures. Once a scammer obtains this data, they can file fraudulent tax returns to claim refunds, open credit accounts in victims' names, or sell the information on dark web marketplaces.
The IRS refers to this scam interchangeably as business email compromise (BEC) or business email spoofing (BES). It is classified under the broader category of payroll diversion and data theft schemes tracked by the FBI's Internet Crime Complaint Center.
Why does this matter?
The financial and personal impact of W-2 data theft is severe, and the scale of the problem continues to grow.
Business email compromise remains the second most financially damaging cybercrime category in the United States. According to the FBI's 2024 Internet Crime Report, BEC scams accounted for $2.77 billion in reported losses, with 21,442 complaints filed that year alone. Total reported cybercrime losses reached a record $16.6 billion in 2024, representing a 33% increase over 2023.
Tax-related identity theft creates a cascading problem for victims. Once a fraudulent return is filed using stolen W-2 data, the legitimate taxpayer's return gets rejected. Resolving tax identity theft takes an average of nearly two years, according to the National Taxpayer Advocate's 2025 Objectives Report to Congress. During that period, victims may face delayed refunds, frozen accounts, and repeated interactions with the IRS to prove their identity.
The IRS flagged $16.5 billion in refunds for possible identity fraud in 2024, according to the National Taxpayer Advocate's mid-year report to Congress. For small businesses and nonprofits with limited IT resources, a single W-2 phishing incident can expose every employee in the organization simultaneously.
How does the W-2 phishing attack work?
The W-2 scam follows a predictable sequence, which makes it both preventable and dangerous when organizations are unaware of the pattern.
Step 1: Reconnaissance. The attacker identifies the target organization and researches its leadership structure. Executive names are typically found on company websites, LinkedIn profiles, and press releases. The attacker also identifies who handles payroll or HR functions, often through LinkedIn job titles or organizational charts.
Step 2: Email spoofing. The attacker creates an email that appears to come from a senior executive, usually the CEO, CFO, or company owner. Spoofing techniques range from simple display name manipulation (using the executive's name with a slightly different email address) to more sophisticated domain spoofing that mimics the company's actual email domain.
Step 3: The initial contact. The first email is often casual and designed to establish a conversation. It might read: "Hi, are you in the office today?" or "I need something handled quickly." This message tests whether the target will respond and establishes a sense of familiarity.
Step 4: The request. Once the target responds, the attacker makes the actual request: a list of all employee W-2 forms, typically as a PDF or spreadsheet. The request usually includes urgency cues such as "I need this before end of day" or "send them all in one file." Some attackers frame the request around a fabricated audit, tax filing deadline, or board meeting.
Step 5: Data exfiltration. If the target complies, the attacker receives W-2 data for every employee in the organization. The stolen data is then used to file fraudulent tax returns, sold to other criminals, or used for further identity theft schemes.
Step 6: Secondary attacks. In many cases, the attacker follows up the W-2 theft with a wire transfer request, leveraging the trust already established in the email thread. This combines data theft with direct financial fraud.
Real case: Snapchat's W-2 data breach
One of the most widely reported W-2 phishing incidents involved Snapchat. In February 2016, an attacker impersonated Snapchat CEO Evan Spiegel in an email to the company's payroll department. The email requested current and former employee W-2 information, and a payroll employee complied, sending the data to the attacker.
The breach exposed the names, Social Security numbers, and wage information of an undisclosed number of current and former employees. Snapchat publicly disclosed the incident, offered affected employees two years of free identity theft insurance and monitoring, and reported the attack to the FBI.
This case illustrates several critical points. The attacker did not need to breach any technical systems. No malware was used. No firewall was bypassed. The attack succeeded entirely through social engineering, exploiting the authority of the CEO's name and the routine nature of payroll requests. If a company the size of Snapchat can fall victim, any organization is vulnerable.
How do you detect a W-2 phishing Email?
Use this checklist to evaluate any email requesting employee tax data.
Sender verification. Does the email actually come from the executive's verified email address, or does it use a slightly different domain or a personal email account? Hover over the sender's name to reveal the actual email address.
Request context. Is this request consistent with normal business processes? W-2 data should never be transmitted via email under any circumstances, regardless of who is asking.
Urgency language. Does the email pressure you to act immediately? Phrases such as "I need this before end of day," "don't tell anyone," or "handle this quietly" are social engineering tactics designed to override your judgment.
Reply-to mismatch. Does the reply-to address differ from the sender's displayed address? Attackers often set the reply-to field to a separate email account they control.
Timing. Does the request arrive during tax season (January through April), when W-2 requests seem more plausible? The IRS reports that these scams peak during filing season.
Chain of command. Did the request come through your organization's established process for handling sensitive data, or did it bypass normal channels?
Verification attempt. When you contact the supposed sender through a separate channel (phone call, in-person conversation, or verified Slack/Teams message), do they confirm the request?
If any of these checks raise concerns, do not send the data. Verify the request through an independent communication channel before taking any action.
How do you prevent W-2 phishing attacks?
Prevention requires a combination of policy controls, technical safeguards, and employee training.
Establish a formal W-2 request policy. Create a written policy that W-2 data will never be sent via email, regardless of who requests it. Require all W-2 requests to go through a secure portal or in-person verification process. Document this policy and distribute it to all HR, payroll, and finance personnel.
Implement dual-authorization controls. Require two authorized individuals to approve any release of bulk employee data. The IRS specifically recommends a two-person review process for W-2 requests.
Deploy email authentication protocols. Implement SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) on your organization's email domain. These protocols help prevent attackers from spoofing your domain in emails to your own employees.
Train employees on BEC recognition. Conduct regular training that includes simulated phishing exercises specifically targeting payroll and HR staff. Training should emphasize that legitimate executives will not ask for W-2 data by email and that verifying unusual requests through a separate channel is always appropriate.
Use email security tools with AI-based threat detection. Traditional spam filters rely on signature-based detection, which misses BEC emails because they contain no malware, malicious links, or attachments. AI-powered email security tools analyze sender behavior, linguistic patterns, and contextual anomalies to detect social engineering attempts that bypass conventional filters.
Limit access to sensitive data. Restrict access to W-2 and payroll data to the minimum number of employees necessary. The fewer people who can access this data, the smaller the attack surface.
Verify changes to payroll processes. Any request to change direct deposit information, payroll procedures, or data handling processes should be verified through a separate communication channel before being acted upon.
What is the incident response plan if W-2s were sent?
If W-2 data has already been sent to a scammer, follow this sequence immediately. Every hour of delay increases the risk that fraudulent tax returns will be filed.
For the Employer
Within the first hour:
Notify your organization's IT security team and leadership. Preserve all evidence, including the phishing email, any attachments, email headers, and logs of the data that was sent. Do not delete the phishing email.
Within 24 hours:
Email dataloss@irs.gov with the subject line "W2 Data Loss." Include your organization's name, employer identification number (EIN), contact information, approximate number of affected employees, and the date of the incident. Do not attach any employee personally identifiable information.
Forward the phishing email to phishing@irs.gov with the subject line "W-2 Scam." Save the email as a file and send it as an attachment to preserve the email headers, which the IRS needs for its investigation.
File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov.
Report the incident to your state attorney general and any applicable state data breach notification authority.
Within 72 hours:
Notify all affected employees in writing. Provide clear instructions on the steps they should take (outlined below). Share IRS Publication 5027 (Identity Theft Information for Taxpayers) with every affected employee.
Contact local law enforcement to file a police report, which employees may need for fraud disputes.
If your organization works with a payroll service provider, notify them immediately.
For Affected Employees
Immediately:
Contact one of the three major credit bureaus (Equifax, Experian, or TransUnion) to place a fraud alert on your credit file. When you place an alert with one bureau, it is required to notify the other two. Consider placing a credit freeze, which provides stronger protection by preventing new accounts from being opened in your name.
Within one week:
File IRS Form 14039 (Identity Theft Affidavit) to alert the IRS that your information has been compromised. You can file this form online at irs.gov/dmaf/form/f14039 or download the paper form, complete it, and mail or fax it to the IRS.
Request an Identity Protection PIN (IP PIN) from the IRS at irs.gov/ippin. This six-digit number is assigned to your account and is required on all future tax filings, preventing anyone else from filing a return using your Social Security number.
File your tax return as early as possible. Filing before a scammer can file a fraudulent return in your name is the most effective way to prevent tax refund theft.
Within 30 days:
File an identity theft report with the Federal Trade Commission at IdentityTheft.gov. The FTC provides a personalized recovery plan and pre-filled letters you can send to credit bureaus, debt collectors, and other organizations.
Review your credit reports from all three bureaus at AnnualCreditReport.com. Look for accounts you did not open, inquiries you did not authorize, and addresses you do not recognize.
Monitor your IRS account for suspicious activity at irs.gov/account. Check for tax returns filed in your name that you did not submit.
Ongoing:
Continue monitoring credit reports and IRS transcripts for at least 12 months. Tax identity theft can surface months or even years after the initial data exposure.
Frequently Asked Questions
Can the IRS stop a fraudulent return if I report the W-2 theft quickly?
Yes. The IRS states that if notified quickly after a W-2 data loss, it may be able to take steps to help protect affected employees from tax-related identity theft. This includes flagging Social Security numbers associated with the breach so that fraudulent returns can be identified and stopped before refunds are issued. Speed of reporting directly affects the IRS's ability to intervene.
What is IRS Form 14039 and who should file it?
Form 14039 is the Identity Theft Affidavit used to report tax-related identity theft to the IRS. Any employee whose W-2 was sent to a scammer should file this form, even if a fraudulent return has not yet been filed in their name. Filing Form 14039 proactively alerts the IRS to monitor the taxpayer's account for suspicious activity. The form can be filed online at irs.gov or submitted by mail or fax.
What is an Identity Protection PIN and how does it help?
An Identity Protection PIN (IP PIN) is a six-digit number issued annually by the IRS that must be included on your tax return for it to be accepted. If a scammer attempts to file a return using your Social Security number but does not have your IP PIN, the return will be rejected. The IRS encourages all taxpayers to request an IP PIN, not just identity theft victims. You can request one at irs.gov/ippin.
Can an employer be held liable for a W-2 phishing incident?
Employers have a legal obligation to protect employee data, and liability varies by jurisdiction. Most states have data breach notification laws that require employers to notify affected individuals within a specific timeframe, typically 30 to 90 days. Failure to notify can result in regulatory penalties. Employers may also face lawsuits from affected employees, particularly if the breach resulted from a lack of reasonable security measures. Consulting legal counsel immediately after an incident is strongly recommended.
How do I report a W-2 scam email if my company did not fall victim?
If your company received a W-2 phishing email but did not send any data, you should still report it. Forward the phishing email to phishing@irs.gov with the subject line "W-2 Scam." Save the email as a file and send it as an attachment so that the IRS receives the email headers, which are essential for tracking and shutting down the scam operation. You can also report it to the FBI's IC3 at ic3.gov.
Executive summary (TL;DR)
W-2 phishing is a business email compromise attack in which a scammer impersonates a company executive and tricks payroll or HR staff into sending employee W-2 data by email. BEC accounted for $2.77 billion in reported losses in 2024 according to the FBI, and W-2 theft enables large-scale tax identity theft. If your organization sent W-2s to a scammer, immediately email dataloss@irs.gov (subject: "W2 Data Loss"), forward the scam email to phishing@irs.gov (subject: "W-2 Scam"), file an FBI IC3 complaint at ic3.gov, and notify all affected employees. Employees should place credit fraud alerts, file IRS Form 14039, request an Identity Protection PIN, and file their tax returns early. Prevention depends on establishing a policy that W-2 data is never sent via email, implementing dual-authorization controls for sensitive data requests, deploying email authentication (SPF, DKIM, DMARC), and using AI-powered email security that detects social engineering attacks rather than relying on signature-based filters alone.
Your emails stay yours. Ṣọ processes everything in your browser and keeps nothing.
Sources: IRS, "Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers," irs.gov | IRS, "Report Phishing," irs.gov | FBI Internet Crime Complaint Center, "2024 Internet Crime Report," ic3.gov | IRS, "Dirty Dozen Tax Scams for 2025," irs.gov | IRS, "Identity Theft Guide for Individuals," irs.gov | IRS, "Get an Identity Protection PIN," irs.gov | National Taxpayer Advocate, "2025 Objectives Report to Congress"