There is now a new twist to W2 from phishing scams that begins with requesting tax information, now, criminals are also stealing directly from the companies who they scammed for W2 information in the first place.

The old saying – “The only things you can be sure of is death and taxes” – needs to be amended. The new saying is “The only things you can be sure of is death, taxes, and W2 Form scams.”

W2 Scam

W2 Form Scams Explained

Starting in 2016, cyber criminals came up with a new scam involving stealing W2 information through social engineering so criminals can file false income tax forms and get a refund. Related to this is the issue of identity theft as successful W2 form information theft includes a person’s name, address, and social security number – this information is often enough for a cyber criminal to steal another person’s identity and take out loans and credit cards for the thief’s personal use.

The 2016 Scam

The scam originated in 2016 and was a simple, yet effective, phishing scam. The way it worked had a thief use a company executive name and asks a member of the Human Resources Department to forward to the phony executive a list of all employees including the employee’s W2 information. According to Forbes Magazine, the false messages are highly sophisticated and usually sound as if they are real. Following are some examples provided by Forbes:

  • “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?
  • I want you to send me the list of W-2 copy of employee’s wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

This information allows criminals to file phony tax returns, get bogus refund checks, and steal the identities of employees.

How the Scam Evolved in 2017

In the first month of 2017, there are many reports of successful phishing expeditions against companies in many industries. They include hospitals, school districts, and the other main employers as well as accounting and tax preparation firms. These attacks are either business email compromise (BEC) or business email spoofing (BES). The Federal Bureau of Investigation (FBI) keeps statistics on these kinds of crimes. They tell us that attacks increased by 1,300% compared to the same time in 2016.

The 2017 Twist

Not only have the attacks increased astronomically, there is now a twist that began with requesting tax information, now, criminals are also stealing directly from the companies who they scammed in the first place.

Criminals follow up their first email with a second one. This email goes to an executive of a targeted company with access to corporate bank accounts. In the email, the bogus official directs the real business executive to transfer funds to an account for paying the IRS monies due to the IRS. Of course, the account is owned by the cyber criminal.

IRS Commissioner John Koskinen said:

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.’’

The IRS has sent some urgent warnings to tax preparers, businesses and payroll companies about these W2 scams.

One way to make sure that your firm’s cyber security is state-of-the-art is to engage a managed security service provider in handling your cyber security.

is an experienced provider of IT security managed services. We are in and can be reached at or .