Watch Out for the W-2 Scam as Tax Season Approaches

BBB Consumer Alerts
This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

The Internal Revenue Service (IRS) is warning businesses again about an email scam that uses a corporate officer’s name to request employee Forms W-2 from company payroll or human resources departments. The W-2 scam first appeared in 2016, however, it is not expected to slow down during the 2018 tax season. Cybercriminals trick payroll and human resource officials into disclosing employee names, Social Security Numbers and income information by disguising themselves as a company executive. The fraudulent email can go as far as including the spoofed executive’s actual email signature block to increase legitimacy. The thieves then attempt to file fraudulent tax returns for tax refunds or commit identity theft.

The IRS urges companies to report W-2 scam emails to the agency. If you or someone you know have become a victim of this scam, please report it. For more information, visit the IRS website,, and search for “Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.”

The following are details the email may contain:

• “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
• Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?
• I want you to send me the list of W-2 copy of employee’s wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

How to guard against this scam:

  1. Always question requests for employee information or money, especially wire-transfers – even if the request comes from the CEO or another executive. Before doing anything else, verify that the person in the email did actually make the request.
  2. Train employees to never click on pop-ups or links in emails from an unknown resource.
  3. Implement two-factor authentication for access to company accounts and systems.
  4. Keep all computer operating systems up to date with the latest security fixes.
  5. Keep anti-virus and anti-malware applications up to date.
  6. Create a corporate verification process for electronic release of sensitive data or funds.

Source: Internal Revenue Service (IRS)

To report a scam, go to the BBB Scam Tracker. To find trustworthy businesses, go to

Trending Stories

Latest News

More News