HR, Beware: Cyber Thieves Are Phishing for W-2s

Aliah D. Wright By Aliah D. Wright March 2, 2016

Cyber thieves are now after W-2s in an apparent effort to file fake tax returns and claim refunds from the federal government.

Posing as company executives, cybercriminals have gotten HR professionals to e-mail them sensitive payroll data—including W-2s—with Social Security numbers, salary information, dates of birth, addresses and other personally identifiable data, according to a news release from the Internal Revenue Service.

“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” IRS Commissioner John Koskinen stated in the release. 

He cautioned HR professionals to telephone or verify in other ways with executives or other employees before e-mailing such sensitive data.

"Every e-mail requesting sensitive data should be suspect and followed up with a phone-call," added Robert Siciliano, an identity theft expert with "Clicking links and providing sensitive data without follow up makes an HR professional no smarter than someone who falls for a "prince" in a Nigerian [e-mail] scam.

"Neither the IRS nor executives needing access to their employees' W-2 forms will or should request this kind of information via e-mail. Recognizing this simple ruse now ensures employees will be security aware and have an elevated security appreciation," he said. 

“If your CEO appears to be e-mailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees,” Koskinen added.

The IRS is conducting a criminal investigation into the hoax. It is reviewing several cases in which people have been tricked into sharing Social Security numbers with cyber thieves, according to the release. In addition to using the information in other ways, the thieves are filing fake tax returns in attempts to obtain refunds from the federal government.

How It Works

The thieves pretend to be company executives by “spoofing” e-mails—making their e-mails seem like legitimate ones coming from company executives. For example, HR professionals or payroll employees will receive a fake e-mail from what may seem to be the CEO’s account asking for a list of employees, as well as their sensitive data that includes their Social Security numbers.

According to the IRS, these are some excerpts from the e-mails:

  • “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  •  “Can you send me the updated list of employees with full details (name, Social Security number, date of birth, home address and salary)?”
  •  “I want you to send me the list of W-2 copy of employees wage and tax statement for 2015. I need them in PDF file type. You can send it as an attachment. Kindly prepare the lists and e-mail them to me ASAP.”

Cybercrime expert Charles Henson, who is managing partner of Nashville Computer told SHRM Online that this isn't the only type of social engineering scam targeting HR professionals.

"We are seeing this and a similar scam where they are asking for Social Security numbers, dates of birth, employment dates, and home address for [the purpose of ] running a background check. We have also had clients wire money," too. 

More than HR Targeted

“The IRS recently renewed a wider consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community,” the release states.

Additional e-mails are being sent to taxpayers, seeking to trick them into believing they’ve been e-mailed by the Internal Revenue Service when they haven’t been. Some include e-mails from phony tax software companies or others in the tax industry.

In that ruse, the e-mails “seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information,” the IRS states.

Protect Yourself 

The IRS lists these and other steps on its site that HR professionals, payroll executives and other people can take to keep information secure. 

They include:

  • Always use security software with firewall and anti-virus protections.
  • Make sure the security software is always turned on and can automatically update.
  • Encrypt sensitive files such as tax records you store on your computer.
  • Use strong passwords.
  • Learn to recognize and avoid phishing e-mails and threatening calls or messages from thieves posing as representatives of legitimate organizations such as a bank, credit card company or the IRS.
  • Do not click on links or download attachments from unknown or suspicious e-mails.
  • Protect your personal data.
  • Don’t carry your Social Security card around, and make sure your tax records are secure.
  • Treat your personal information like you do cash; don’t leave it lying around.

Once they've fallen victim to this scam, HR will "need to notify the FBI and their employees immediately. They should also provide credit monitoring for their employees as well as suggest that each employee call the three big credit monitoring services and put a freeze on their credit," Hensen said.

That's not all.

HR professionals should also consider taking protective measures as well by "having a comprehensive cyber liability insurance policy ... to cover you for any liability associated with such a breach," added Harris Tsangaris, a managing director at NFP Property & Casualty Services, Inc., an insurance broker and consultant in New York City. "Hackers are sophisticated and relentless so it’s not an ‘if,’ but ‘when’ situation.”

Aliah D. Wright is an online editor/manager for SHRM.

Related Articles:
Employee Training to Reduce Cybersecurity Breaches Underused (SHRM Online, January 2016)
Educate Your Employees on Spear-Phishing (SHRM Online, August 2015)
Lessons for HR in Light of Data Breaches (SHRM Online, August 2014)



Hire the best HR talent or advance your own career.

Mandating (or Not) the COVID-19 Vaccine

It's time for employers to consider whether they will require employees to get the COVID vaccine.

It's time for employers to consider whether they will require employees to get the COVID vaccine.



HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.