Email Security Blog

Tax season is open – and W-2 scammers are back in force

Agari February 2, 2018 Cybercrime

With the 2018 US tax filing season now open, the race is on to submit your taxes before it becomes a mad scramble through a pile of receipts in early April. Now however, there’s one more reason to submit quickly – getting there before a cunning cyber criminal beats you to it.

Fraudsters are increasingly targeting businesses with deceptive emails to steal the W-2 forms of their employees. The criminals can then sell the data, which includes Social Security numbers, salaries and personal information, on the dark web for a quick profit, or use the information to conduct social engineering attacks on the victim. In a new twist, criminals have even been completing and submitting tax returns on behalf of the victim – and then claiming their tax refunds for themselves. The first the victim usually knows about it is when they go to submit their own returns, only to be told they have apparently already done so.

The W-2 scam is on the rise, with the IRS recently stating it received 900 reports from businesses in 2017 – up from just 100 in 2016. Over 200 organizations fell prey to the attacks, with hundreds of thousands of individuals having their details stolen as a result.


The attacks themselves are a variation on the dangerous Business Email Compromise (BEC) scam, which the FBI reports have cost more than $5B between 2013 and 2016 alone. The scammers will research the target organization to discover who handles its payroll, and then impersonate a senior executive over email to request the W-2 forms for all staff.

Get the BEC Attack Trends Report

In BEC scams, more competent criminals can create very convincing deceptive emails which are almost indistinguishable from the real thing, disguising key signifiers such as the sender name, return address and IP address. Because the attack is impersonating a trusted authority within the company, many payroll employees will simply follow through with the request without a second thought.

Payroll staff should be made aware of the increased likelihood of deceptive emails requesting W-2 forms during the tax season, and companies should also implement stricter policies around sharing confidential data. However, firms should not rely on staff to catch everything, as well-crafted fraudulent emails can be indistinguishable from the real thing.

Instead, businesses should safeguard their employee’s W-2 forms by preventing deceptive emails from ever reaching their intended targets – and this is where Agari can help. Unlike most solutions which attempt to spot signs of malicious emails, Agari Enterprise Protect draws on analysis from more than two trillion emails each year to create a model of what a good email looks like. Armed with this intelligence, the solution is able to identify and block fraudulent emails with an unparalleled degree of accuracy.

Organizations that have already suffered W-2 theft should contact the IRS immediately at, as there is a chance the IRS can take steps to prevent employees from becoming tax fraud victims. Those that have been contacted by fraudsters but spotted the scam can also notify the IRS at More guidelines and support from the IRS are available at the IRS website.

With the W-2 scam looking to become even more widespread in the 2018 tax filing period, organizations need to work quickly to protect their employees from tax fraud. In the meantime, it’s time for citizens to put their tax returns on the top of their to-do list.

For more information from Agari and the SANS Institute on fighting targeted email threats such as BEC, view our webinar.

Watch the BEC Webinar

Agari Blog Image

July 29, 2022 Crane Hassold

The “I’s” Have It: How BEC Scammers Validate New Targets with Blank Emails

Have you ever received a blank email from someone you don’t know? If you have,…

Laptop with multiple paddle locks with key holes

January 24, 2022 John Wilson

2022 Data Privacy Week – Education and Inspiration

As the world becomes more and more dependent on online resources to complete daily tasks,…

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

mobile image