Social engineering in tax season: Form W-2 exploits

This year’s deadline for filing individual tax returns is April 18.

Malicious actors routinely target human resources professionals, certified public accountants, and individual employees with social engineering attacks during tax season in an effort to obtain copies of Internal Revenue Service Form W-2 (Wage and Tax Statement). Form W-2 contains the information that allows a malicious actor to file false tax returns and steal the refunds. Those who receive, process, or maintain copies of W-2s should be on the lookout for phishing emails and other types of social engineering attempts this tax season.

Here are some FAQs about protecting yourself from theft of W-2 information.

What is social engineering?

Social engineering is a technique used by malicious actors to exploit human error, often in an effort to gain access to sensitive information, such as the information included in a W-2.  

How does social engineering work?

Malicious actors work to identify – generally by searching publicly available information on the internet – those individuals who are likely to have access to sensitive information, including copies of W-2 forms. Those individuals often include human resources professionals and individuals who assist with the preparation and filing of tax returns, such as certified public accountants. Once the targets are identified, malicious actors “phish” them by emailing them seemingly legitimate requests for information. In the case of a phishing exploit involving W-2s, the target responds as requested by providing copies of W-2 forms, and the malicious actor pulls the information and then electronically files fraudulent tax returns so he or she can steal the tax refunds.

What can be done to prevent a W-2-related exploit? 

Individuals who receive, process, or maintain copies of W-2s must be trained to understand that they are targets for malicious actors, especially during tax season. Organizations must have technology in place sufficient to safeguard copies of W-2s. They should also establish processes to ensure the legitimacy of any request for sensitive information, including copies of W-2s. If a W-2 is to be sent by email, which is not recommended, it should be encrypted or password protected. 

Is a successful W-2 exploit a data breach?

Yes. A W-2 contains “personal information” as defined by all state data breach notification statutes because it includes individuals’ names and Social Security numbers. Documents equivalent to Form W-2 in other countries contain similarly sensitive data. 

The Constangy Cyber team has the experience necessary to help organizations prevent W-2 exploits, and the ability to provide fully managed incident response services to organizations that have fallen victim to this scam.

  • Alyssa  Watzman

    Alyssa serves as a vice chair of the Constangy Cyber Team and is located in Denver. She has extensive experience managing responses to data security incidents, having focused her practice solely on managing them, as well as on helping ...

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 


* indicates required
Back to Page