Remembering Shay Litvak Our Co-Founder and CTO

November 1979 - September 2023

W-2 Scams: What They Are and How to Avoid Them

W-2 ScamsW-2 Scams
min read
August 21, 2023

Your small business is responsible for collecting, verifying, and processing heaps of financial information during tax season (which begins on January 23, 2023). During this period, it’s often necessary to send and request files to and from various departments, partners, and vendors to comply with IRS due dates and avoid tax penalties.

But taxpayers and businesses aren’t the only ones keeping busy during tax season. Cybercriminals, fraudsters, and scammers prey on unsuspecting businesses to steal sensitive information about employees.

In many cases, this type of cybercrime takes the form of a W-2 scam. Let’s look at what W-2 scams are, how they work, why it’s important to prevent them, and what you can do if you fall victim to a W-2 scam.

What Are W-2 Phishing Scams?

A W-2 scam is when someone poses as a company employee or executive to gain access to the personal information included in team members' Form W-2.

The stolen information is then used to file fraudulent tax returns and claim your employees’ refunds. This causes complications for your employees when it’s time for them to submit their returns, since it looks like they’ve already received their tax refunds.

The scammer might also use the employee’s personally identifiable information (PII) to take out new debt or sell the information to other criminals (for example, on the dark web). 

So, what, exactly can a scammer see on a W-2? These forms include:

Form W-2 information also includes your business’s employer identification number (EIN) and state ID number.

This worrisome scam is a form of phishing, called a business email compromise (BEC), and it usually starts with an email.

How Do These Scams Work?

Typically, a W-2 scam begins when a fraudster combs through your business’s social media profiles, website, and LinkedIn to gather employee information, including titles, responsibilities, email addresses, and relationships.

This information is then used to pose as a higher-up “persona,” like a company executive, owner, or HR director.

When tax season begins, the scammer forges—or “spoofs”—an email address to appear as if it belongs to the impersonated individual. (For example,

After spoofing a legitimate-looking email address, the scammer sends a W-2 phishing email to your company’s accountant or human resources representative with a request for your company’s W-2 forms. They may also target individual employees—particularly new, junior, or entry-level employees—emailing them with a request for W-2 information.

Because the request appears authentic, the recipient has little reason to reject it. As a result, the scammer gets access to the personal information included on each W-2 form. With each Form W-2 in hand, the scammer then has what they need to either file a fraudulent return or make some quick cash by selling the information.

What Do W-2 Scam Emails Look Like?

According to the Internal Revenue Service (IRS), examples of a W-2 scam email are:

How W-2 Scams Negatively Impact Your Business and Your Employees

The FTC records phishing schemes and W-2 scams as instances of tax-related identity theft and fraud. According to its 2021 Consumer Sentinel Network Data Book, identity theft accounted for 1,434,676 total reports, with tax fraud making up about 6.2 percent of those reports.

What does this mean for your small business and employees?

As mentioned, Form W-2 includes sensitive personal information—including all the details a scammer needs to steal an employee’s identity, claim an employee’s tax refund, or take out new debt in an employee’s name. W-2 scams can also delay the processing of a legitimate tax return.

Additionally, the collected information might even be listed and sold on the dark web, resulting in further cybercrimes, such as additional acts of identity theft or data breaches (including the ability to steal your employees’ personal passwords or gain access to their personal banking, credit, and social media accounts).

From a small business standpoint, a successful W-2 email scam can cause a variety of issues. For example, it can expose your company to potential legal issues, like a class-action lawsuit.

It can also negatively impact your budget and bottom line. Handling the fallout of a successful W-2 scam can result in increased labor hours and costs, a rise in your cyber insurance premium, and a potential hit to your business reputation. It can also impact employee morale and turnover, complicating regular business operations and increasing expenses.

How to Protect Your Business From W-2 Scams

Your small business needs to implement a proactive prevention strategy to protect you and your employees from falling victim to W-2 scams. So how, exactly, do you do that? Some steps you’ll want to take include:

What to Do if You’re a Victim of a W-2 Phishing Scam

Cybercriminals and fraudsters are persistent; they’re constantly looking for ways to bypass your risk avoidance methods

Fortunately, understanding how you and your employees should respond to a successful W-2 scam can mitigate the extent of its damage and make matters right.

For Employers

As a small business owner, you’re responsible for protecting your employees and their information. If your business falls victim to a W-2 scam, your response can limit the damage done to both your employees and the business itself.

Here’s what to do if you find yourself dealing with a W2 scam:

  1. Email the IRS: Send an email to with the subject line “W2 Data Loss.” In your email, include the name of your business, your EIN, your contact information, how the W-2 scam happened, and the number of employees affected. Do not include any employee information.
  2. Report the fraud to your state tax agency: Report the W-2 scam to your state tax agency. You can email for information on who to contact.
  3. File a complaint with the Internet Crime Complaint Center: Businesses and payroll service providers should also file a complaint with the FBI’s Internet Crime Complaint Center (IC3). You might also be asked to provide details to your local law enforcement agency.
  4. Alert your employees: After alerting the IRS, your state tax agency, and law enforcement, you need to tell your employees about the data theft. This lets them take steps to protect their identities and finances and prepare to deal with the consequences of the W-2 scam.
  5. Contact your insurance company: If you have cyber insurance, you should contact your insurance company to begin the claims process. You should also contact your IT department to determine if there have been any other data breaches or ongoing security risks that need to be mitigated and resolved, like stolen or exposed passwords, keyloggers that record what employees type, or malware that steals and transmits sensitive employee data.

If you receive a W-2 phishing email—but don’t fall for the scam—it’s still important to alert the authorities. In this situation, the IRS asks that you:

  1. Save the W-2 scam email as a file on your computer.
  2. Keep the email headers intact and in plain ASCII text format.
  3. Attach the saved file in an email to with the subject line “W2 Scam.”
  4. File a complaint with the IC3.

For Employees

It’s not just small businesses that need to deal with the consequences of a W-2 scam. Employees need to take steps to protect their personal information—which is why it’s so important for you to alert them to a successful data theft as soon as possible.

The IRS recommends that your employees:

In addition, employees should keep a close eye on their credit reports through services like They might also wish to cancel or freeze credit and debit cards, contact their insurance companies, and change passwords.

Frequently Asked Questions About W-2 Scams

Still have questions about Form W-2 and W-2 scams? Let’s look at some FAQs regarding W-2s and W-2 phishing scams.

Can someone steal your identity with your W-2?

Yes. Form W-2 includes your personally identifiable information, including your name, address, and Social Security number. Criminals can use this information to steal your identity, apply for credit and loans, and cause significant financial harm if not stopped in time.

What happens if someone finds your W-2 form?

Someone who finds a W-2 form that doesn’t belong to them should ignore it, return it to their employer, or mark it “return to sender” and place it back into a mailbox (if it was mailed and is still inside its envelope).

It is illegal and fraudulent for someone to use the information on your W-2 form to file a tax return, apply for credit, or do anything else they don’t have permission to do or aren’t authorized to do on your behalf (as would be the case with a tax preparer or accountant).

If you never received your W-2 and you have reason to believe it was stolen or tampered with, you should proceed as if you fell victim to a W-2 scam. You should also monitor your finances and credit to determine if your identity was stolen and take steps to mitigate any damage.

Is W-2 mail legal?

Yes. The IRS requires that employees receive Form W-2 electronically or by mail. Though federal law prohibits anyone from stealing or tampering with mail, make sure your employer has the correct address and contact information on file before they begin processing W-2 forms.

Take a Proactive Stance Against W-2 Scams and Identity Theft

As a small business owner and employer, you’re responsible for properly handling and safeguarding your employees’ personally identifiable information. W-2 scams can expose this information to cybercriminals and fraudsters, causing significant financial harm to both your business and its employees.

Avoid falling victim to W-2 phishing scams by implementing policies and procedures that proactively protect against data theft. Train your employees to recognize scams and understand the process for dealing with successful phishing attempts to mitigate damage and protect your business and employees.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.