It’s Not a Form—It’s a Scam.
It’s February.
Your accountant’s booked solid. Your team’s gathering W-2s and 1099s. Deadlines are looming. You’re in “get it done” mode.
But there’s something else kicking off right now—and it’s got nothing to do with taxes.
It’s cybercriminals targeting small businesses with the first big scam of the season.
And it’s sneaky, fast, and all too easy to fall for.
🎯 The W-2 Scam: Here’s How It Works
It usually starts with a simple, believable email:
“Hey—need copies of all employee W-2s for our accountant meeting. Can you send them over today? Swamped right now.”
It looks like it came from your CEO. Or the owner. Or a senior manager.
It sounds right. It’s short, casual, urgent—but not pushy.
Your payroll person or HR team sends over the W-2s.
Only it wasn’t the CEO.
It was a scammer using a spoofed or lookalike email address.
And now, they’ve got:
-
Employee names
-
Social Security numbers
-
Home addresses
-
Salary info
Everything needed for identity theft—or to file fake tax returns before your staff can.
😬 How You Find Out Something’s Wrong
Usually, it starts when an employee tries to e-file their taxes—and gets a message that their return was already submitted.
By someone else.
Suddenly, they’re dealing with the IRS, fraud alerts, and months of identity protection—all because of a document they didn’t even realize got leaked.
Multiply that by your entire team?
Now you’ve got a full-blown HR crisis on your hands—not to mention legal and reputational fallout.
Why This Scam Works So Well
This isn’t a cartoonish “foreign prince” email. It’s effective because it feels… normal.
Here’s why:
✅ The timing is perfect — It’s W-2 season. No one’s surprised to see requests for payroll data.
✅ The request sounds reasonable — You do share W-2s with accountants.
✅ The tone feels natural — Busy leaders asking for quick help? That’s not suspicious.
✅ The email looks legit — Scammers research you. They know names, roles, and sometimes even recent projects.
✅ Employees want to be helpful — Especially when the “boss” is asking.
And that combo makes this one land fast and hard.
🔐 How to Stop It Cold—Before It Hits
You don’t need fancy software. You need five clear moves:
🚫 1. No W-2s via Email. Ever.
Set a standing rule:
“We don’t send W-2s or payroll data by email. Period.”
If a request comes in—even if it looks real—the answer is “Let me verify another way.”
☎️ 2. Always Confirm Sensitive Requests Out-of-Band
If someone asks for financial or employee info, confirm it in another channel:
-
Pick up the phone
-
Slack or text the person (on a number you know)
-
Ask in person if they’re in the office
Don’t reply directly to the message. Scammers count on that.
📣 3. Hold a 10-Minute Team Huddle This Week
Don’t wait for the attack.
Sit down with payroll, HR, and anyone else with access to employee data. Tell them:
-
These scams are on the rise
-
What the fake messages might say
-
How your company handles these requests (aka: verify everything)
It’s a cheap form of insurance.
🔒 4. Lock Down Payroll Systems with MFA
If someone’s login gets compromised, multi-factor authentication (MFA) is your last line of defense.
Make sure every tool that holds employee data requires MFA—especially if your team logs in remotely.
🧠 5. Make Verification a Company Habit
Want your employees to double-check before sending data?
Praise them when they do. Don’t treat it like paranoia or delay.
Build a culture where people are expected—and rewarded—for asking, “Can I confirm this real quick?”
Scams thrive in silence. They fail when questions are encouraged.
🚨 Bonus: The W-2 Scam Is Just the Beginning
Between now and April, you’ll see a flood of tax-themed cyberattacks:
-
Fake IRS notices
-
Phishing disguised as tax software updates
-
Bogus messages from “your accountant”
-
Random invoices that look tax-related
Criminals love this season because people are busy, stressed, and used to unusual financial requests.
Don’t give them an open door.
🛡️ Is Your Business Ready?
If you already have these guardrails in place, awesome—you’re ahead of the curve.
If not? Now’s the time to get your team protected before anything lands in your inbox.
We can help.
👉 Book a 10-minute Tax Season Security Check-In Here
We’ll review:
-
Your payroll access controls
-
MFA status
-
Email protections against spoofing
-
One critical policy most businesses forget
Because tax season is hard enough without identity theft in the mix.
And stopping this scam? It’s easier than fixing it.