Phishing & Social Engineering
What Is W-2 Phishing?
W-2 phishing is a targeted form of business email compromise in which attackers impersonate company executives or authority figures via spoofed or compromised email, sending urgent requests to payroll, HR, or accounting staff to hand over employee W-2 tax forms containing Social Security numbers,...
W-2 phishing is a targeted form of business email compromise in which attackers impersonate company executives or authority figures via spoofed or compromised email, sending urgent requests to payroll, HR, or accounting staff to hand over employee W-2 tax forms containing Social Security numbers, addresses, and income information.
How does W-2 phishing work?
The attack begins with reconnaissance: attackers identify the company's CEO, CFO, or other C-level executive name along with the appropriate HR or payroll contact, often harvesting this information from LinkedIn, company websites, public records, or previous data breaches. The attacker then executes one of two attack variations. In the first variant, the attacker spoofs the executive's email address through display-name spoofing (where the display name reads "CEO Name" but the actual email address is attacker-controlled) or domain spoofing (registering a lookalike domain such as example-com.net instead of example.com). In the second variant, the attacker directly compromises the actual executive email account via a credential phishing campaign targeting that specific individual or by exploiting previously stolen credentials.
A short, authoritative email is sent to the payroll or HR employee—typically the person responsible for managing W-2 distribution and tax documentation. The message requests "all employee W-2s," "copies of 2024 W-2 forms," or "a current copy of our W-2 documentation." The request is framed as urgent ("needed immediately"), confidential ("between you and me"), or justified by external authority ("for audit purposes" or "for an external review"). The tone mimics legitimate business communication—brief, commanding, and leaving little room for questions.
When the victim replies with a file (PDF, spreadsheet, or email attachment) containing all employee W-2 data—names, SSNs, addresses, wages, tax withholdings, and employer identification information—the attacker has achieved their primary objective. The stolen data provides everything needed for identity theft at scale. The stolen W-2s are then used to file fraudulent tax returns claiming refunds in employees' names, sold on dark web markets to identity theft rings, or used for broader identity theft including opening credit accounts, obtaining loans, or establishing fraudulent business relationships. The financial damage extends beyond the initial tax fraud—it can include years of recovery effort and monitoring for affected employees. Attacks spike during tax season (January-April), with a 130% increase observed between December 2023 and January 2024 (CyberRisk Alliance, 2024).
How does W-2 phishing differ from other BEC attacks?
Dimension | W-2 Phishing | Standard BEC (Wire Fraud) | Credential Phishing | CEO Fraud |
|---|---|---|---|---|
Primary Target | HR/Payroll staff | Finance/Accounting staff | Any employee | Finance/Treasury staff |
Goal | Steal employee PII (SSN, wages) | Redirect wire transfers | Harvest login credentials | Direct financial theft |
Monetization Method | Fraudulent tax returns, identity theft | Direct financial transfer to mule account | Account takeover, lateral movement | Wire transfer to attacker account |
Seasonality | Heavy January-April (tax season) | Year-round | Year-round | Year-round |
Typical Payload | None (social engineering only) | None (social engineering only) | Malicious link to fake login page | None (social engineering only) |
Average Loss per Incident | Varies; affects all employees in organization | $129,000 per incident (FBI IC3, 2025) | Varies by service | $125,000+ per incident |
Attack Complexity | Low—simple email request | Low—simple email request | Low—link distribution | Low—urgent request |
Ideal for | Harvesting employee data at scale; setting up identity theft infrastructure | Stealing corporate funds immediately | Compromising individual accounts | Immediate financial theft |
Neither is universally better. W-2 phishing targets data; wire fraud targets immediate funds.
Why has W-2 phishing gained traction?
W-2 phishing has become a preferred attack vector because it harvests Personally Identifiable Information (PII) at scale—stealing data on dozens or hundreds of employees in a single successful attack. The FBI IC3 reported that phishing was the most-reported cybercrime category in 2024 with 193,407 complaints, contributing $70 million in reported losses—nearly quadrupling from the prior year (FBI IC3, "2024 Internet Crime Report," 2025). W-2 phishing attacks spike seasonally during tax season (January through April), with a 130% increase observed between December 2023 and January 2024 (CyberRisk Alliance, 2024). The IRS has included W-2 phishing in its annual "Dirty Dozen" list of top tax scams (IRS, 2025). According to the IRS, W-2 phishing disproportionately targets school districts, restaurants, hospitals, tribal organizations, nonprofits, and small businesses. The attack requires minimal technical sophistication—just social engineering—making it accessible to less-skilled threat actors. However, broader BEC losses (which include W-2 phishing variants) totaled $2.77 billion in 2024 across 21,442 complaints, representing over 17% of the $16.6 billion in total cybercrime losses (FBI IC3, 2025).
What are the limitations of W-2 phishing?
W-2 phishing has several fundamental weaknesses. The attack relies entirely on one employee responding; if that person verifies the request through a secondary channel (phone call to the executive's direct line), the attack fails immediately. The effective window is narrow—primarily January through April tax season; outside that period, W-2 requests are unusual and more likely to raise suspicion. While the attack requires no malware or technical exploit (which makes detection difficult), it also means no malware is dropped, leaving fewer forensic traces available to threat actors but also generating no evidence for post-incident investigation.
Bulk exposure creates liability for attackers: because they receive identifiable data (not cryptocurrency or prepaid cards), law enforcement can trace fraudulent tax filings back to the scheme and pursue perpetrators. Many organizations lack specific detection rules for outbound PII exfiltration via email attachments; however, a simple organizational policy requiring out-of-band verification for bulk PII requests effectively blocks most W-2 phishing attempts. Additionally, Data Loss Prevention (DLP) tools configured for W-2 file patterns can catch these attacks if properly deployed.
How can organizations defend against W-2 phishing?
Establish a policy that any request for bulk employee W-2 or PII data must be verified via a secondary channel (phone call, in-person confirmation) and never fulfilled based solely on email. Implement email authentication at enforcement level (DMARC p=reject) to prevent domain spoofing of executive emails. Conduct regular, role-specific phishing simulations targeting HR and payroll staff, especially before and during tax season, measuring awareness and adjusting training based on results.
Configure Data Loss Prevention (DLP) rules to flag or block outbound emails containing SSN patterns, W-2 file attachments, or bulk PII. Limit the number of employees who can access and export bulk W-2 data through least-privilege access controls and role-based permissions. If a W-2 breach occurs, immediately notify the IRS at phishing@irs.gov with "W2 Scam" in the subject line, file a complaint with the FBI's IC3 at ic3.gov, and notify all affected employees so they can file IRS Form 14039 (Identity Theft Affidavit) and place fraud alerts. Protect executive email accounts with multi-factor authentication to prevent account compromise that enables W-2 phishing.
FAQs
Q: What is a W-2 phishing scam?
A W-2 phishing scam is a type of business email compromise where attackers impersonate a company executive and email HR or payroll staff requesting copies of all employee W-2 tax forms, which contain SSNs, addresses, and income data. The stolen information is then used to file fraudulent tax returns or commit identity theft (IRS, "Form W-2/SSN Data Theft," ongoing).
Q: When are W-2 phishing attacks most common?
W-2 phishing attacks spike during tax season (January through April), with a 130% increase observed between December 2023 and January 2024. The IRS includes W-2 phishing in its annual "Dirty Dozen" list of top tax scams (CyberRisk Alliance, 2024; IRS, "Dirty Dozen," 2025).
Q: What should an employer do if they fall victim to a W-2 phishing scam?
Forward the phishing email to phishing@irs.gov with "W2 Scam" in the subject line, file a complaint with the FBI's IC3 at ic3.gov, notify all affected employees so they can place fraud alerts and file IRS Form 14039 (Identity Theft Affidavit), and contact local law enforcement. Early notification to the IRS may allow them to flag fraudulent returns before processing (IRS, "Form W-2/SSN Data Theft," ongoing).
Q: How does W-2 phishing differ from other BEC attacks?
While standard BEC attacks typically target finance departments to redirect wire transfers, W-2 phishing specifically targets HR and payroll staff to steal employee tax data. The monetization is through fraudulent tax refund filings rather than direct wire fraud. BEC wire fraud averaged approximately $129,000 per incident in 2024, while W-2 phishing can expose every employee's PII in a single breach (FBI IC3, "2024 Internet Crime Report," 2025).
Q: Who is most targeted by W-2 phishing?
The IRS reports that W-2 phishing disproportionately targets school districts, restaurants, hospitals, tribal organizations, nonprofits, and small businesses. Within organizations, payroll, HR, and accounting personnel are the primary targets (IRS, "Form W-2/SSN Data Theft," ongoing).
