A New Tax Season, but the Same W-2 Spear Phishing Scam

Alerts / January 26, 2018

With a new tax season approaching, companies should be vigilant in guarding against criminals attempting to obtain sensitive information through a variety of scams. Last month, the IRS issued an alert warning consumers of an email scam targeting Hotmail users that purported to be a request from the IRS for sensitive information. Although this scam targeted consumers individually, the bigger prize comes from targeting organizations. According to the IRS, the number of businesses, public schools, universities, tribal governments and nonprofits victimized by W-2 scams increased to 200 in 2017 from 50 in 2016. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen. In some cases, the criminals requested both the W-2 information and a wire transfer. Once the scammers obtain copies of W-2s, they can move quickly to file fraudulent tax returns that could mirror the actual income received by employees – making the fraud more difficult to detect.

What to Look For

The W-2 scams often begin with a “spoofing” email that appears to be sent by a company’s CEO or CFO to one or more employees in human resources and payroll, or an executive assistant. Some cybercriminals specifically target these emails at times when the executive may be traveling, the business may be urgently preparing tax statements or other periods when an employee is more likely to be caught off guard. Cybercriminals attempt to trick the employees into disclosing employee names, Social Security numbers (SSNs) and income information. The criminals then attempt to file fraudulent tax returns for tax refunds. Here is an example:

The email appears to be a completely legitimate request from a legitimate email address, but in reality, the email is from someone entirely different and has the “REPLY TO” field (which is typically hidden from the end user) set to an email address controlled by the criminal; for example, The email headers would show this. Other variations on the content of the W-2 scam requests can be found in the IRS’ alert on the topic issued Jan. 25, 2017.

We expect W-2 scams to continue to rise because of (1) the success attackers had in the past several years; (2) the increase in activity year over year; (3) the time and effort it takes to send targeted emails to employees across industries, which are significantly less than the effort it takes to infiltrate a network; and (4) the low cost to enter the market as an entry-level criminal conducting W-2 scams. The IRS will likely issue further alerts as the tax season gets underway.

Proactive Measures

In order to prepare for the upcoming tax season, companies can focus on some of the following best practices:

  • Re-educate all employees about phishing in general and spear phishing in particular.
  • Never take an email from an ostensibly familiar source at face value; for example, an email from the CEO or an HR executive. If it asks you to open a link or attachment, think twice.
  • If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it’s not a URL you recognize or if it’s an abbreviated URL, don’t open it.
  • Consider a verbal confirmation by phone during tax season if you receive an email requesting copies of W-2s.
  • Be cautious of verification via instant messaging (IM), as an attacker with access to an email account may also have access to IM.

Bottom line, payroll officials should double-check any executive-level or unusual requests for copies of W-2s. You can review a compilation of IRS alerts as well as further information on how to avoid tax fraud in general on the IRS’ website.

How to Respond to W-2 Phishing Scams

In the event that your organization experiences a W-2 phishing scam, consider the following in responding to potential incidents.

  • Retain competent counsel that has experience with W-2 incidents. In addition to notification services, counsel will assist with providing notice to the IRS and to state taxing authorities. The IRS has indicated that once they are notified, they will monitor affected employees’ returns to attempt to prevent fraudulent tax refunds from being paid.
  • Be prepared to investigate the nature and scope of the incident, with focus on ensuring that the perpetrators are not still present in your systems. In most cases involving a phishing scam where a payroll employee inadvertently emails W-2s to the scammer, a forensic investigation will likely not be required, as the scammers never gain access to the system. Additionally, confirm whether the W-2s included the full SSN (as opposed to only the last four digits). The latter may not require formal notification to employees under state data breach notice laws.
  • Pay prompt attention to providing accurate notifications to employees. Determine whether notification to individuals and state agencies is required under applicable state data breach notification laws. Even in incidents that do not require forensic investigation, time is required to draft notification letters, arrange for credit monitoring and engage a vendor to handle mailing notices. State laws require notification to be made as expeditiously as possible, with some states requiring notice within 30 to 45 days. Regulators can be expected to question delays in W-2 incidents, compared with other incidents where a forensic investigation is necessary to determine the scope of affected individuals.
  • Be mindful of communications with employees, and discuss all communications with competent counsel before sending them. Your communication with current and former employees may have consequences down the road should a regulatory inquiry or litigation arise. In particular, W-2 incidents frequently affect former employees who may have left the company on less-than-favorable terms.
  • A growing number of cases have found standing for employees to sue for damages in data security incidents. See, e.g., Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 388 (6th Cir. 2016). Other more recent cases have recognized that the purchase of credit monitoring services and certain out-of-pocket costs associated with fraudulent activity following the theft of personally identifiable information can constitute cognizable injuries from W-2 phishing scams. In Savidge v. Pharm-Save, Inc., No. 3:17-CV-00186, 2017 WL 5986972 (W.D. Ky. Dec. 1, 2017), two former Pharm-Save employees brought a class action following a W-2 phishing scam. The company moved to dismiss the case, arguing, in part, that the former employees could only show speculative injury that was not causally related to the phishing incident and thus failed to state a plausible claim for relief. In denying the company’s motion, the court found the “purchase of credit monitoring and/or identity protection services, along with [plaintiff]’s expenses associated with the fraudulent tax return filed in her name, were incurred reasonably, rather than in response to injuries that were overly speculative.” Id. at *6. Although the court noted that the mere filing of a fraudulent tax return by itself is not a cognizable injury, according to the court, “the fact that cybercriminals have already misused [the plaintiff’s] information may suggest that [the] purchase of identity protection services, with the knowledge that her information had already been misused, was reasonable and necessary.” Id. at *4, *7.

    In addressing the causation element of the negligence claim, the court in Pharm-Save explained that, in general, “to prove that a data breach caused identity theft, the pleadings must include allegations of a nexus between the two instances beyond allegations of time and sequence.” Id. at *7 (quotation marks omitted) (quoting Resnick v. AvMed, c., 693 F.3d 1317, 1326 [11th Cir. 2012]). Pharm-Save, the court found there was a sufficient nexus between the alleged injury and the incident because the company “specifically told the affected individuals that the breach ‘involved the information provided on [their] W-2’ and ‘[i]t is possible that the criminal(s) may have filed or try to file fraudulent tax refunds in the names of our employees.’” Pharm-Save, 2017 WL 5986972, at *7 (quoting the plaintiffs’ complaint).
  • Credit monitoring is often offered for W-2 incidents in which employees’ SSNs are impacted. Indeed, some states require that companies offer one year of complimentary credit monitoring when individuals’ SSNs were impacted, and at least one state regulator routinely requests that two years of coverage be extended to its residents. Companies will want to discuss with their counsel the amount of credit monitoring coverage required for their employees and should consult with their carrier regarding the amount of credit monitoring that is covered by their policy. Additionally, because your company’s internal HR and customer support staff are likely impacted by this incident, it may be helpful to have an outside call center answering questions. The notification vendor can typically set up a call center for you as well.
  • Competent counsel will be aware of regulatory reporting obligations following a W-2 incident. For instance, as of July 1, 2017, Virginia requires notification to its attorney general if an employer or payroll service provider has an incident involving computerized data relating to state income tax, i.e., “a taxpayer identification number in combination with the income tax withheld.” The notification must include the name and federal employer identification number of the company, which the attorney general will use to notify the state tax department. See Code of Virginia § 18.2-186.6(M).
  • The IRS recommends various steps employees should take if they suspect they are a victim of tax-related identity theft, including the filing of a fraudulent return:
    • Respond immediately to any IRS notice; call the number provided or, if instructed, go to
    • Complete IRS Form 14039, Identity Theft Affidavit, if your e-filed return is rejected because of a duplicate filing under your SSN or you are instructed to do so. Use a fillable form at, print, then attach the form to your return and mail according to instructions.
    • Continue to pay your taxes and file your tax return, even if you must do so on paper.
2018 BakerHostetler Data Security Incident Response Report

Our annual data security incident response report, which provides an in-depth look at cybersecurity trends, will be released soon. Get your complimentary copy by signing up for our mailing list.

For data privacy updates and commentary, be sure to subscribe to BakerHostetler's Data Privacy Monitor blog. 

Authorship credit: David E. Kitchen and David M. Brown

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.


In The Blogs

Previous Next
Data Privacy Monitor
California AG Press Release Clarifies CCPA's Jan. 1 Effective Date and Data Broker Registry, Provides No Update on Draft Regulations
By Kyle R. Fath
January 14, 2020
On Jan. 6, 2020, the California attorney general (AG) released a CCPA advisory press release outlining the new data privacy rights under the California Consumer Privacy Act (CCPA) afforded to California consumers and clearly stating that...
Data Privacy Monitor
Cybersecurity Remains a Top SEC Examination Priority in the New Decade
By Jonathan A. Forman
January 10, 2020
It may be a new decade, but the focus of the Securities and Exchange Commission (SEC) on cybersecurity has not shifted. In particular, the SEC noted in its 2020 Examination Priorities that the Office of Compliance Inspections and...
Data Privacy Monitor
Steps to Develop a Mature Third-Party Risk Management Program With High-Risk Third Parties
By Daniel A. Pepper
January 10, 2020
This blog is the first in a series exploring how organizations can prevent or mitigate the severity of a third-party data breach or cyber exploit by implementing a variety of cybersecurity risk management controls such as assessing...
Data Privacy Monitor
Is the CCPA's Private Right of Action Provision Retroactive?
By Sean B. Solis
January 9, 2020
With the California Consumer Privacy Act (CCPA) – the strictest privacy law in the nation – now in effect, an important question for businesses to consider is whether it applies to conduct that occurred prior to the law’s effective date of...
Data Privacy Monitor
Hoping for a New Year's Resolution: Clarity on the Sale of Personal Information of California Minors
By Carolina A. Alonso, Alan L. Friel
January 9, 2020
Those who keep an eye on privacy laws may be familiar with how monumental the Children’s Online Privacy Protection Act (COPPA) was when it first became effective in 1998. COPPA requires online services that directly target children under...