In the midst of identity scams and credit card hacking, the IRS has warned against another scam, this time targeted at businesses and employers. There is a growing W-2 email scam threatening sensitive tax information and the IRS wants to alert payroll and human resources officials so they can be on their guard.

A simple email beginning with a casual greeting has quickly become one of the most dangerous phishing attacks. Hundreds of employers fell victim to the scheme last year, which left thousands of employees vulnerable to tax-related identity theft.

Since there have been significant improvements made in curbing stolen identity refund fraud, criminals are now seeking more advanced personal information in order to fraudulently file a return. W-2’s contain a wealth of detailed taxpayer income and withholding information, which is exactly what frauds are searching for and why they are targeting employers to acquire such information.

The scam has only grown larger in recent years, attacking a variety of businesses, from public universities and hospitals to charities and small businesses. The IRS wants to educate employees and employers, particularly payroll and HR associates who are often targeted first, to hopefully limit the number of successful attacks.

The scammer will likely spoof the email of someone high up in the organization or business, sending an email to someone with W-2 access using a subject line similar to “review” or “request.” The “request” will likely be a list of all the employees and their W-2 forms, potentially even specifying the file format. Since the employee believes they are corresponding with an executive of some sort, they may send the information without question, meaning weeks could go by before it is even evident they have been scammed. This gives frauds plenty of time to file numerous fake returns.

Because this scam poses such a major tax threat at both the local and state level, the IRS has set up a specific reporting process to alert the proper individuals, which is outlined briefly below:

  • Email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. Type “W2 Data Loss” into the subject line so that the email can be routed properly and do not attach any employee personally identifiable information.
  • Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get state specific information on reporting victim information.
  • Businesses or payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center (IC3.gov). They may be asked to file a report with local law enforcement as well.
  • Notify employees so they are able to take protective steps against identity theft. The Federal Trade Commission website, www.identitytheft.gov, provides guidance on steps employees should take.
  • Forward the scam email to phishing@irs.gov.


Beyond just educating employees, payroll officials and HR associates about the scam, employers are encouraged to set up policies or practices to avoid being hacked. Suggested policies include requiring verbal communication before sending sensitive information digitally, or requiring two or more individuals to receive and review any sensitive W-2 information before it can be sent out. The IRS is fighting diligently to protect taxpayers and lower the number of tax-related scams, so employers are encouraged to be on the defense as well and safeguard their own tax paying employees.

Jean Miller