It’s February. Tax season is ramping up. Your accountant is getting busier. Your bookkeeper is pulling documents. Everyone’s thinking about W-2s, 1099s, and deadlines.
Here’s the part most people don’t put on the calendar: tax season is also prime time for scams—especially the ones that look completely normal.
One of the most common, and most believable, targets payroll and HR. And it often shows up long before April.
The W-2 Scam: How It Usually Works
Here’s the setup:
Someone in your company, often whoever handles payroll or HR gets an email that appears to be from the CEO, owner, or a senior leader.
The message is short, familiar, and urgent:
“Hey, I need copies of all employee W-2s for a meeting with the accountant. Can you send them ASAP? I’m slammed today.”
The timing feels right. The request sounds plausible. The tone matches what people expect during tax season.
So someone sends the files.
Except the email didn’t come from leadership. It came from an attacker using a look-alike domain, spoofing, or another impersonation tactic.
And those W-2s contain sensitive employee data, including:
- Full legal name
- Social Security number
- Home address
- Income information
That’s enough information to create serious downstream problems for employees.
What Happens Next (and How You Might Notice)
In many cases, people only realize something’s wrong later, often when an employee runs into a tax filing issue or starts receiving unusual notices.
The follow-up can include:
- Time-consuming identity verification steps
- Credit monitoring and account reviews
- Ongoing admin work for HR/payroll
- Employee frustration and trust concerns
Even if the business responds quickly, it’s still disruptive.
Why This Scam Works So Well
This isn’t an obvious scam email, it’s designed to blend in. It works because:
- The timing fits. W-2 requests are normal in February.
- The request sounds reasonable. It’s not obviously suspicious like gift cards or wire transfers.
- The urgency feels familiar. “I’m slammed today, can you send this?” doesn’t stand out.
- The sender looks legitimate. Attackers often research names and roles to make it convincing.
- People want to be helpful. Especially when the message looks like it comes from leadership.
How to Protect Your Business (Before It Shows Up)
Good news: this is highly preventable. It’s mostly policy + process + culture.
1) Set a clear rule for how W-2s can be shared
Instead of “never,” make it specific and actionable:
“W-2s and payroll documents are only shared through approved secure methods (not via email attachments).”
If someone requests them by email, the response is:
“Happy to help, please submit that request through our approved process.”
2) Verify sensitive requests using a second channel
If a request involves payroll documents, bank details, credentials, or large payments, verify using a method you already trust:
- call a known number (not the one in the message)
- confirm in person
- use an internal chat channel you trust
3) Do a 10-minute “tax scam huddle” now
A quick reminder to payroll/HR goes a long way:
- what the scam looks like
- what to do if they receive something suspicious
- who to escalate to
4) Lock down payroll and HR accounts
Enable multi-factor authentication (MFA) on systems that store employee data and use strong access controls. MFA reduces the chance that a stolen password becomes an account takeover.
5) Reward verification
The employee who double-checks a request should be thanked, not teased for being cautious. When verification is normal, scams have fewer openings.
The Bigger Picture
The W-2 scam is just one example of “seasonal” social engineering. Between now and April, it’s also common to see:
- Messages pretending to be from the IRS or a tax agency
- “Tax software update” phishing links
- Spoofed notes from “your accountant”
- Fraudulent invoices timed to look like tax expenses
Tax season is busy, and attackers rely on speed, distraction, and familiarity.
Businesses that get through cleanly aren’t just luckier, they usually have clearer policies, simple verification steps, and basic protections in place.
Is Your Business Ready?
If you already have a secure process for W-2 handling, MFA is enabled, and your team knows to verify sensitive requests, great. You’re ahead of many businesses.
If not, now is a smart time to tighten it up.
If you’d like help, book a 15-minute Tax Season Security Check and we’ll review:
- payroll/HR access + MFA
- your verification rules for sensitive requests
- email protection that help flag impersonation
- the one policy gaps many teams overlook
Book your 15-minute Tax Season Security Check
Because tax season is stressful enough without identity theft on top of it.