Protect Your Organization From W2 Scams

Today is International Data Privacy Day. A day identified to highlight just how important  data protection is in our daily lives and how vulnerable we can be if not vigilant on the daily tasks we have before us. January also happens to be the beginning of tax season for hackers. W-2 phishing scams, which target both corporations and individuals, are included in the larger threat umbrella known as “Business Communication Compromises” (BCC). These threats have become more and more sophisticated over the years and in 2019 the FBI reported $1.7 Billion in losses from BEC events.  Corporations are targeted in order to steal employee data, redirect financial transfers, and capture tax refunds. Hackers have become exceptionally skilled at impersonating internal company representatives to make these requests look legitimate. But there are a few things you and your team can do to avoid these threats.


Here are 8 steps you can take now to protect your employees as well as your organization this tax season:

1. Tighten security and workflow                                       

W-2 phishing scams are successful because they target the people in your organization who have access to secure data. Start by reviewing your current policies and procedures to ensure that everyone who has access to your employee tax data actually needs it. If not, update your policies to limit access to employee tax data and funds transfer information. Additionally, set internal limits on the amount of documents or data that can be sent at a single time to limit access to external actors. If you are using a payroll processor it can be easy to have old staff left with credentials or access. Do some account spring cleaning early.

2. Maintain regular best practices on handling employee data

Times of stress can cause normal processes and best practices to break down but this is truly when you need them most. Building a strong security culture starts at the top.  While humans will avoid pain, they respond better to incentives. Having executives remind your team to keep practicing their regular security habits and recognize and reward those who are doing a good job is critical.

3. Educate your staff (especially those who may be targeted!) on trends

Awareness is key! While we recommend that you train your entire staff about cybersecurity in general and phishing scams in particular, it’s important to pay special attention to those staff members who have access to tax information during this time. This may include your employees in the accounting, finance, HR, and admin departments. Burdened staff may be more susceptible to an errant click or deception. Keep them up to date on the latest trends when it comes to phishing attacks and remind them that the IRS will never initiative contact with taxpayers via email (and that if they get anything suspicious it should be reported!). 

4. Consider a data loss prevention solution

Data loss prevention solutions are technology that monitor and block unauthorized external communications for PII like social security numbers or credit card numbers. Humans make mistakes. It’s how most fraud happens, even when compared to malware or hacking. Technology can be a useful backstop against human error and malicious hacking. While DLP solutions are traditionally a bit burdensome, they can be quite effective.  If you take the time to configure them and ensure their coverage, they can help to secure alternate communications channels like Slack, Teams, and cloud apps and buy you the time needed to stop information from getting into the hands of a criminal.

5. Get on the phone ASAP if you think something is up

Banks may be able freeze funds transfers or claw them back in the case of a breach. If you notice fraud, call your bank ASAP.  Be sure to report the incident to the Internet Crimes Complaint Center https://www.ic3.gov

6. Use Offline, Out-of-Band Authentication to Verify                                        

In order to decrease the possibility for email scams, encourage employees to verify email requests for sensitive information (including but perhaps not limited to W-2s). Confirm these requests over the phone or in-person to avoid a successful business communication campaign. Keep in mind that phishing attempts can also be made through digital workplace systems like Slack or Teams making in-person or phone communications exceedingly helpful.

7. Report unsuccessful phishing attempts

If you identify a phishing attempt before data is transmitted, make sure to forward the attempt to phishing@irs.gov (put W-2 Scam in the subject line) and to file a complaint with the FBI’s Internet Crime Complaint Center to help improve overall knowledge of this type of hacking.

8. Utilize your legal and insurance teams

Remember, if a W-2 phishing scam does get through your walls of defense, this is considered a data breach so be sure to contact both your legal team and your cyber insurance broker as soon as it is uncovered. We can help with protocols on how to handle internal procedures following the data breach as well as what comes next. If you are a Resilience insured, report a claim and call our Emergency Hotline, 302-722-7236. We will work on your behalf to try and halt fund transfers, provide access to training solutions to make you more resilient against future attacks. 


Tax season is prime time for scams but that doesn’t mean your team has to be afraid. With a few key habits, your organization can be on the lookout for suspicious behaviors and help to protect your data as well as that of your employees.


Michael Phillips
January 28, 2021
January 28, 2021