Did you know Business Email Compromise (BEC) attacks resulted in $2.77 billion in reported losses in 2024 alone, with W-2 data theft representing a significant portion of these sophisticated social engineering schemes.
If you're in HR or payroll, you know that tax season brings more than just deadlines—it brings cybercriminals. Year after year, W-2s are stolen in droves, and no matter how much your company invests in cybersecurity, the attacks keep coming.
At Lift HCM, we’ve seen firsthand how even the most diligent organizations fall victim to these sophisticated scams. It’s not always due to technical failures—often, it’s just one well-placed email that sets off a costly chain of events.
In this article, we’ll explain exactly how hackers are targeting your W-2s, why traditional security methods aren’t stopping them, and what proactive steps your company can take to defend against these persistent threats.
Table of Contents
- What Makes W-2s Such Attractive Targets?
- How Do Hackers Target Your W-2 Data?
- Why Traditional Security Measures Fall Short
- How Are W-2 Threats Evolving?
- What Can You Do? Building Comprehensive Defense
- Frequently Asked Questions
- Quick Reference Security Checklist
- The Path Forward: From Vulnerability to Vigilance
What Makes W-2s Such Attractive Targets?
W-2 forms contain comprehensive personally identifiable information that makes them extremely valuable to cybercriminals:
- Full legal names and addresses
- Social Security numbers
- Detailed income information
- Employer identification data
This comprehensive dataset enables criminals to:
- File fraudulent tax returns
- Apply for loans and credit lines
- Commit long-term identity theft
- Launch targeted phishing campaigns
💡 Pro Insight: Unlike credit cards that can be quickly canceled, W-2 data remains valuable to criminals for years after theft.
How Do Hackers Target Your W-2 Data?
Spear Phishing: The Primary Attack Vector
In 2025, the IRS continues to see the "new client" scam, which involves spear phishing attempts that target tax professionals. These attacks use highly personalized emails designed to deceive specific individuals within organizations.
Common spear phishing scenarios:
- CEO impersonation requesting "urgent" W-2 data
- Cybercriminals impersonate new, potential clients to trick tax professionals and other businesses into responding to their emails
- Fraudulent vendor communications requesting employee information
- Internal IT "security updates" requiring credential verification
Business Email Compromise (BEC) Schemes
BEC was the second most costly cybercrime in 2024, resulting in $2.77 billion in reported losses across 21,442 incidents. The FBI describes BEC as targeting "employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners".
How BEC attacks work:
- Cybercriminals research organizational structure
- They may spend weeks or months studying the organization's vendors, billing systems, and the CEO's style of email communication
- Craft convincing executive impersonation emails
- Request immediate W-2 transmission for "critical business needs"
Malicious Attachments and Technical Exploits
According to the 2024 Verizon Data Breach Investigation Report (DBIR), 94% of malware is delivered through email attachments. Once the tax professional responds, the scammer sends a malicious attachment or URL that can compromise the preparer's computer systems and allow the attacker to access sensitive client information.
Red flag indicators:
- Unexpected attachments from unknown senders
- Links to "secure portals" requiring immediate login
- Urgent software updates outside normal IT channels
- Awkwardly phrased sentences and odd word usage in emails
Why Traditional Security Measures Fall Short
The Human Factor: Your Biggest Vulnerability
According to the 2024 Verizon DBIR, the human element is contained in 68% of breaches. Even advanced technical defenses struggle against sophisticated social engineering tactics that exploit human psychology rather than technical vulnerabilities.
Psychological manipulation tactics:
- Authority bias: Employees conditioned to follow executive requests
- Time pressure: The email's content creates urgency and authority, leveraging the employee's conditioned response to executive requests
- Social proof: References to "standard procedures" or "company policy"
- Trust exploitation: Using spoofing tools to direct email responses to accounts criminals control
Organizational Blind Spots
Common security oversights:
- Last year, the IRS received hundreds of reports at phishing@irs.gov of the new client scam
- Limited employee awareness of evolving threat tactics
- Insufficient verification procedures for sensitive data requests
- Failure to verify the authenticity of requests through face-to-face or voice-to-voice communications
How Are W-2 Threats Evolving?
Expanding Target Demographics
Cybercriminals impersonate new, potential clients to trick tax professionals and other businesses, with attacks now targeting:
- Educational institutions: Schools experiencing dangerous W-2 phishing scams
- Healthcare organizations: Hospitals targeted in phishing schemes
- Non-profit organizations: Including tribal groups and community organizations
- Small businesses: Increasingly targeted due to often limited security resources
Social Media and Technology Integration
Another growing concern in 2025 continues to involve incorrect tax information on social media that can mislead honest taxpayers with bad advice, potentially leading to identity theft and tax problems.
Modern attack vectors include:
- Social media platforms routinely circulate inaccurate or misleading tax information, including on TikTok where people share wildly inaccurate tax advice
- Sophisticated email spoofing techniques
- Access to stolen email accounts allowing scammers to find legitimate emails between victims and their tax preparers
What Can You Do? Building Comprehensive Defense
Technical Security Implementation
Essential technology stack:
- Multi-factor authentication on all payroll systems
- Email authentication protocols (SPF, DKIM, DMARC implementation)
- Advanced threat protection with behavioral analysis
- Endpoint detection and response solutions
- Network segmentation isolating sensitive data systems
Critical Organizational Policy Framework
Dual Authorization Protocol:
- The IRS recommends using a two-person review process when receiving requests for Forms W-2
- Out-of-band confirmation through separate communication channel
- Verify the authenticity of requests to send money by walking into the CEO's office or speaking to him or her directly on the phone
- Written documentation of request source and authorization
Verification Procedures:
- The IRS also recommends that businesses require that any requests for payroll be submitted through an official process, like the employer's human resources portal
- Individuals should verify the identity of the sender by using another communication method; for instance, calling a number they independently know to be accurate
Employee Training and Awareness
Comprehensive training program components:
Recognition Training:
- Tax professionals should be wary of phishing emails where cyberthieves send emails from stolen email addresses
- Understanding common social engineering tactics
- Identifying suspicious email patterns and requests
- Learning to recognize alarming language such as "Your account has now been put on hold," or "Unusual Activity Report"
Role-specific training modules:
- HR personnel: Advanced social engineering recognition
- Finance teams: Wire fraud prevention protocols
- Executive assistants: Authority verification procedures
- IT staff: Technical threat identification
Rapid Response Protocol
Immediate response checklist:
If You Suspect a Scam:
- If you receive a phone call from someone claiming to be from the IRS but you suspect they are not an IRS employee: View your tax account information online
- As a reminder, never click on any unsolicited communication claiming to be from the IRS as it may surreptitiously load malware
- Preserve the original suspicious email for investigation
If You've Been Victimized:
- Contact your financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent
- Report the incident to phishing@irs.gov and also file a complaint with the FBI's Internet Crime Complaint Center (IC3)
- If you are a victim of this scam (e.g., you responded by sending the W-2s) please email dataloss@irs.gov
Frequently Asked Questions
Quick Reference Security Checklist
Immediate Implementation (This Week):
Enable multi-factor authentication on payroll systems
Establish two-person review process for W-2 requests
Create face-to-face or voice-to-voice verification procedures
Update employee contact information for verification
Short-term Goals (Next Month):
Implement email authentication protocols
Require payroll requests through official HR portal processes
Review and update incident response plan
Train staff on recognizing awkwardly phrased sentences and odd word usage in emails
Long-term Strategy (Next Quarter):
Deploy advanced threat protection solutions
Establish comprehensive employee training program
Implement network segmentation for sensitive data
Develop ongoing security awareness culture
The Path Forward: From Vulnerability to Vigilance
The landscape of W-2 security requires a proactive approach that combines robust technical safeguards with human-centered security awareness. Organizations that focus on prevention rather than recovery see significantly better outcomes in protecting sensitive employee data.
Your next steps:
- Assess current vulnerabilities using our security checklist
- Implement immediate protective measures including two-person verification for W-2 requests
- Develop verification protocols that require face-to-face or voice-to-voice communications
- Establish monitoring and response protocols including proper reporting to phishing@irs.gov and ic3.gov
At Lift HCM, we understand that effective W-2 protection requires more than technology—it demands a strategic approach combining proven security frameworks with continuously educated teams.
Ready to transform your W-2 security posture? Our human capital management experts can help you implement the verified security protocols recommended by the FBI and IRS to protect your most sensitive employee data while maintaining operational efficiency.
Take the first step toward building unbreachable W-2 protection for your organization and grab your free Information Security Self-Assessment Checklist!
At Lift HCM, we don't just advise on W-2 security best practices—we implement them rigorously within our own organization. Our internal security framework demonstrates the same level of protection we bring to client partnerships.
