Your small business is responsible for collecting, verifying, and processing heaps of financial information during tax season (which begins on January 23, 2023). During this period, it’s often necessary to send and request files to and from various departments, partners, and vendors to comply with IRS due dates and avoid tax penalties.
But taxpayers and businesses aren’t the only ones keeping busy during tax season. Cybercriminals, fraudsters, and scammers prey on unsuspecting businesses to steal sensitive information about employees.
In many cases, this type of cybercrime takes the form of a W-2 scam. Let’s look at what W-2 scams are, how they work, why it’s important to prevent them, and what you can do if you fall victim to a W-2 scam.
What Are W-2 Phishing Scams?
A W-2 scam is when someone poses as a company employee or executive to gain access to the personal information included in team members' Form W-2.
The stolen information is then used to file fraudulent tax returns and claim your employees’ refunds. This causes complications for your employees when it’s time for them to submit their returns, since it looks like they’ve already received their tax refunds.
The scammer might also use the employee’s personally identifiable information (PII) to take out new debt or sell the information to other criminals (for example, on the dark web).
So, what, exactly can a scammer see on a W-2? These forms include:
- Social Security number (SSN)
- Annual income
- Taxes withheld
Form W-2 information also includes your business’s employer identification number (EIN) and state ID number.
This worrisome scam is a form of phishing, called a business email compromise (BEC), and it usually starts with an email.
How Do These Scams Work?
Typically, a W-2 scam begins when a fraudster combs through your business’s social media profiles, website, and LinkedIn to gather employee information, including titles, responsibilities, email addresses, and relationships.
This information is then used to pose as a higher-up “persona,” like a company executive, owner, or HR director.
When tax season begins, the scammer forges—or “spoofs”—an email address to appear as if it belongs to the impersonated individual. (For example, YourCEOsName@YourBusinessName.net.)
After spoofing a legitimate-looking email address, the scammer sends a W-2 phishing email to your company’s accountant or human resources representative with a request for your company’s W-2 forms. They may also target individual employees—particularly new, junior, or entry-level employees—emailing them with a request for W-2 information.
Because the request appears authentic, the recipient has little reason to reject it. As a result, the scammer gets access to the personal information included on each W-2 form. With each Form W-2 in hand, the scammer then has what they need to either file a fraudulent return or make some quick cash by selling the information.
What Do W-2 Scam Emails Look Like?
According to the Internal Revenue Service (IRS), examples of a W-2 scam email are:
- Kindly send me the individual 2022 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)?
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2022, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
How W-2 Scams Negatively Impact Your Business and Your Employees
The FTC records phishing schemes and W-2 scams as instances of tax-related identity theft and fraud. According to its 2021 Consumer Sentinel Network Data Book, identity theft accounted for 1,434,676 total reports, with tax fraud making up about 6.2 percent of those reports.
What does this mean for your small business and employees?
As mentioned, Form W-2 includes sensitive personal information—including all the details a scammer needs to steal an employee’s identity, claim an employee’s tax refund, or take out new debt in an employee’s name. W-2 scams can also delay the processing of a legitimate tax return.
Additionally, the collected information might even be listed and sold on the dark web, resulting in further cybercrimes, such as additional acts of identity theft or data breaches (including the ability to steal your employees’ personal passwords or gain access to their personal banking, credit, and social media accounts).
From a small business standpoint, a successful W-2 email scam can cause a variety of issues. For example, it can expose your company to potential legal issues, like a class-action lawsuit.
It can also negatively impact your budget and bottom line. Handling the fallout of a successful W-2 scam can result in increased labor hours and costs, a rise in your cyber insurance premium, and a potential hit to your business reputation. It can also impact employee morale and turnover, complicating regular business operations and increasing expenses.
How to Protect Your Business From W-2 Scams
Your small business needs to implement a proactive prevention strategy to protect you and your employees from falling victim to W-2 scams. So how, exactly, do you do that? Some steps you’ll want to take include:
- Assessing your risk: Risk management is a process of reviewing your current systems and processes to help identify, assess, and mitigate vulnerabilities that can threaten your business and its employees. Effective risk management can reveal security flaws—like ineffective email filters, insufficient (or nonexistent) encryption, and weak or stolen passwords and credentials—that allow cybercriminals to spoof emails or identify lax policies that make you more vulnerable to potential W-2 scams. It can also reveal gaps in insurance coverage—like low coverage limits or lacking the proper policy—that can protect your business from financial damage after a successful W-2 scam or phishing scheme.
- Training your team on cybersecurity techniques: The more informed your employees are, the less vulnerable they’ll be to getting scammed. Provide your employees with frequent training on best practices to avoid and recognize W-2 scams. Share resources, such as recent consumer alerts and known tax scams, that help employees identify common techniques for stealing company data. Teach employees to identify spoofed emails, verify the authenticity of links, and recognize scam email tells—such as misspellings, incorrect grammar, and doctored logos.
- Instituting scam prevention policies: The FBI recommends businesses protect against W-2 scams by limiting the number of employees with access to employees’ personal information, verbally or physically authenticating requests for W-2 forms, verifying the identity of a requesting party through alternative methods (such as a phone call or text), and requiring dual-approval for potentially suspicious requests.
- Simulating W-2 scams: Craft and send mock email scams to your employees to call attention to existing vulnerabilities and areas where you can improve training. Use the information you learn during practice to continually hone and improve your processes and cover new techniques in your next training session.
- Sharing real-world examples of W-2 scams: Nothing drives home the severity of a threat like a real-world example. Share news reports that demonstrate the impact a W-2 scam has on a business and its employees to highlight the importance of prevention and protection.
What to Do if You’re a Victim of a W-2 Phishing Scam
Cybercriminals and fraudsters are persistent; they’re constantly looking for ways to bypass your risk avoidance methods.
Fortunately, understanding how you and your employees should respond to a successful W-2 scam can mitigate the extent of its damage and make matters right.
As a small business owner, you’re responsible for protecting your employees and their information. If your business falls victim to a W-2 scam, your response can limit the damage done to both your employees and the business itself.
Here’s what to do if you find yourself dealing with a W2 scam:
- Email the IRS: Send an email to firstname.lastname@example.org with the subject line “W2 Data Loss.” In your email, include the name of your business, your EIN, your contact information, how the W-2 scam happened, and the number of employees affected. Do not include any employee information.
- Report the fraud to your state tax agency: Report the W-2 scam to your state tax agency. You can email StateAlert@taxadmin.org for information on who to contact.
- File a complaint with the Internet Crime Complaint Center: Businesses and payroll service providers should also file a complaint with the FBI’s Internet Crime Complaint Center (IC3). You might also be asked to provide details to your local law enforcement agency.
- Alert your employees: After alerting the IRS, your state tax agency, and law enforcement, you need to tell your employees about the data theft. This lets them take steps to protect their identities and finances and prepare to deal with the consequences of the W-2 scam.
- Contact your insurance company: If you have cyber insurance, you should contact your insurance company to begin the claims process. You should also contact your IT department to determine if there have been any other data breaches or ongoing security risks that need to be mitigated and resolved, like stolen or exposed passwords, keyloggers that record what employees type, or malware that steals and transmits sensitive employee data.
If you receive a W-2 phishing email—but don’t fall for the scam—it’s still important to alert the authorities. In this situation, the IRS asks that you:
- Save the W-2 scam email as a file on your computer.
- Keep the email headers intact and in plain ASCII text format.
- Attach the saved file in an email to email@example.com with the subject line “W2 Scam.”
- File a complaint with the IC3.
It’s not just small businesses that need to deal with the consequences of a W-2 scam. Employees need to take steps to protect their personal information—which is why it’s so important for you to alert them to a successful data theft as soon as possible.
The IRS recommends that your employees:
- Read the Taxpayer Guide to Identity Theft, Publication 5027, Identity Theft Information for Taxpayers, and Publication 4524, Security Awareness for Taxpayers.
- Contact one of the three credit bureaus to place a fraud alert or credit freeze on their accounts.
- Report potential identity theft on IdentityTheft.gov.
In addition, employees should keep a close eye on their credit reports through services like AnnualCreditReport.com. They might also wish to cancel or freeze credit and debit cards, contact their insurance companies, and change passwords.
Frequently Asked Questions About W-2 Scams
Still have questions about Form W-2 and W-2 scams? Let’s look at some FAQs regarding W-2s and W-2 phishing scams.
Can someone steal your identity with your W-2?
Yes. Form W-2 includes your personally identifiable information, including your name, address, and Social Security number. Criminals can use this information to steal your identity, apply for credit and loans, and cause significant financial harm if not stopped in time.
What happens if someone finds your W-2 form?
Someone who finds a W-2 form that doesn’t belong to them should ignore it, return it to their employer, or mark it “return to sender” and place it back into a mailbox (if it was mailed and is still inside its envelope).
It is illegal and fraudulent for someone to use the information on your W-2 form to file a tax return, apply for credit, or do anything else they don’t have permission to do or aren’t authorized to do on your behalf (as would be the case with a tax preparer or accountant).
If you never received your W-2 and you have reason to believe it was stolen or tampered with, you should proceed as if you fell victim to a W-2 scam. You should also monitor your finances and credit to determine if your identity was stolen and take steps to mitigate any damage.
Is W-2 mail legal?
Yes. The IRS requires that employees receive Form W-2 electronically or by mail. Though federal law prohibits anyone from stealing or tampering with mail, make sure your employer has the correct address and contact information on file before they begin processing W-2 forms.
Take a Proactive Stance Against W-2 Scams and Identity Theft
As a small business owner and employer, you’re responsible for properly handling and safeguarding your employees’ personally identifiable information. W-2 scams can expose this information to cybercriminals and fraudsters, causing significant financial harm to both your business and its employees.
Avoid falling victim to W-2 phishing scams by implementing policies and procedures that proactively protect against data theft. Train your employees to recognize scams and understand the process for dealing with successful phishing attempts to mitigate damage and protect your business and employees.
1. Introducing Yourself
Your introductory email needs to pack a lot of information into a small package. Try something like this:
Text Copied to Clipboard
My name is John Doe and I work for ABC Agency, where we provide business insurance policies to many of Dallas' rockstar small businesses.
Congratulations on your new business, Jane's Bakery. Are you wondering if you have all the insurance you need? Or if your policies will really cover you in a pinch?
At ABC Agency, we pride ourselves on providing robust, comprehensive coverage options to companies like yours with flexible, pay-as-you-go plans.
Are you available this week to talk more about how we can help? I can help you find the most affordable rates and the best policies out there.
I look forward to speaking with you soon.
2. Presenting a Quote
Once you've met with your potential client, a quick reply with their quote will get the ball rolling.
Text Copied to Clipboard
Thanks so much for meeting with me this morning. I loved touring Jane's Bakery–I can still smell those delicious chocolate chip cookies baking! You have a great location, and I'm sure you're going to do great on Front St.
After reviewing my notes, I've pulled together an insurance quote for you (attached). I recommend a business owner's policy. A BOP includes several insurance products in one: liability, property insurance, and business interruption insurance. It offers robust coverage at a competitive price.
I'll call you in a few days to see what you think about this insurance plan. In the meantime, if you have any questions, don't hesitate to email me or call me at [phone number].
Again, thank you for your time today. I look forward to working with you in the future.
3. Thanks for Purchasing a Policy
Gratitude is important! It's never a bad idea to thank your clients for their business.
Text Copied to Clipboard
Thank you for choosing a business owner's policy with ABC Agency. We know it's so important to get the right coverage for your business, and we are honoured you've placed your trust in us.
We're excited to work closely with you, and our no. 1 goal is to make sure you're business is always protected.
Do you have any questions? We are here to help. Reach out whenever something comes to mind.
Thank you again for choosing ABC Agency to insure Jane's Bakery.
4. Welcome Email
A welcome email helps clients feel like you're there to help–and can softly pitch other insurance products you offer.
Text Copied to Clipboard
Welcome to the ABC family! We are thrilled to have you as a new customer and can't wait to meet all of your insurance needs.
As an independent insurance agency, we work with multiple insurance providers to find the best coverage options for all our customers. If you need any other type of insurance–like [include additional offerings unique to your agency, like life insurance, health insurance, home insurance or anything else]–we can help you too.
Do you want to discuss any of these policies?
5. Introducing a New Product
A happy client may want to expand their business with you.
Text Copied to Clipboard
I hope all is well with you and Jane's Bakery. I stopped in yesterday for a blueberry muffin and coffee, and they were delicious. I loved the hint of cinnamon in the muffin! Was that your idea?
I wanted you to be the first to know we are now offering commercial vehicle insurance to our policyholders. Auto insurance for your catering vans is super important since your personal car insurance won't cover them.
We're offering this insurance coverage solely to our current business clients at the moment and have some very competitive rates.
Would you like me to work up a quote for you?
As always, thanks so much for being a part of the ABC family.
6. Asking For Referrals
Once your relationship is established and comfortable, let your clients help you grow.
Text Copied to Clipboard
You've been a valuable member of the ABC family for two years now, and we so appreciate your business–not to mention the muffins you supply for our monthly meetings!
Because you are a valued policyholder, I wanted to ask a quick favour. I know you are active in the local Chamber of Commerce, and I'm hoping you might know some colleagues who would benefit from working with our insurance company.
Referrals are one of the most effective ways to connect with our community since people really trust their friends, family and colleagues. Is there anyone you'd recommend I speak with?
Remember that in addition to business insurance products, we offer everything from life insurance policies to pet insurance.
As a thank you for your help, we will send you an Amazon gift card of $100 when your referrals buy insurance from us.
Thanks so much for your help!
7. Policy Renewal
If your client needs to renew their policy with you, send an email like this:
Text Copied to Clipboard
I hope you're doing well! What a year it's been—from being listed as one of the top 5 bakeries in Dallas to being an official vendor for the city—you have so much to be proud of.
Just a heads up that your business owner's policy is up for renewal soon and will expire on June 15, 2023.
If you're still happy with the coverage, we can easily renew it for you.
Do you have some time to chat this week?
Looking forward to serving you again!