The Internal Revenue Service reported a marked increase in W-2 email phishing scams. Hackers are now sending email spam to business of all sizes, including nonprofits and schools.

In simplest terms, a phishing email is an email sent from a misleading source in attempt to gather sensitive information, including credit card numbers, passwords, and other personal information. Scammers send emails that appear to be from a colleague or trustworthy contact and request a wire transfer, business intelligence, or employee information. Emails like these are also known as Business Email Compromise (BEC) or Business Email Spoofing (BES).

The recent phishing attempts involve cybercriminals contacting employees in the human resources or payroll departments using mock emails that appear to be from executives within the organization. They demand a list of all employees and their most recent W-2 forms. Criminals use this information to file fraudulent tax returns. Expect to see more of these phishing cases as we approach tax season.

Cybercriminals have been taking the W-2 phishing attack one step further. Some criminals follow up with a commonly known phishing scam, the wire transfer request, after the W-2 scam. Once the W-2s are received, criminals use the same bogus email addresses to send a message requesting a wire transfer.

These threats evolve as cybercriminals determine techniques for obtaining information. Each year around tax season we see an increase in scams for personal information. Keep your business and your employees’ information safe by implementing the best practices below.

Best practices for avoiding phishing scams:

  • Be on the lookout for email addresses that are misspelled or that do not exactly align with common email usernames in your organization.
  • When someone requests sensitive information, follow up and verify the request.
  • Organizations like the IRS will never ask you to send sensitive information like W-2s, Social Security numbers or birthdates over email.
  • Spread the word to anybody who could conceivably receive a phishing email. Consider creating an internal policy when it comes to requesting sensitive information.

We talk about phishing threats frequently. Here are a few more resources to help you understand what spam and phishing threats are and how to recognize them:

How to Recognize Phishing Attempts

Is This Microsoft Audit Email Spam?

Social Engineering: Security Compromises that Result from Real Human Interaction


With Mirazon’s Managed Services on your side, you have a full IT team and top-notch technology to help protect your organization from threats like this.  Email us or call us at 502-240-0404 to learn more!