Skip to main content
Internet Security

IRS Calls This One of the Most Dangerous Email Phishing Scams

Written for NortonLifeLock

Feb. 3, 2017

If it works, keep doing it—and make it better. That seems to be the philosophy of some identity thieves. Of course, “better” for them is “worse” for the rest of us. In this case, the issue is a scam that caught a lot of attention in 2016—the Form W-2 phishing scam—combined with an older, wire-transfer scam. As a result, thieves are using email to target some organizations in two ways to steal employee W-2 information.

Spoofing an executive

Here’s how the W-2 scam works. Cybercriminals use spoofing techniques to have an email appear to come from an organization’s executive. The thieves send the email to a specific employee in human resources or payroll, requesting a list of all employees and their Forms W-2.

Because the email appears to come from an executive, some employees feel a sense of urgency to reply with what was requested. Of course, W-2 forms give identity thieves everything they need to commit a variety of crimes, including filing fraudulent income tax returns.

Wire transfer scam

In the latest twist, the cybercriminal follows up with another “executive” email to someone with financial oversight, asking the recipient to make a wire transfer to the criminal’s bank account. While not tax related, the wire transfer scam has been coupled with the W-2 scam, and some organizations have lost both employee W-2s and thousands of dollars in wire transfers.

Internal Revenue Service Commissioner John Koskinen called this “one of the most dangerous email phishing scams we’ve seen in a long time.” He said it could result in the large-scale theft of sensitive data that criminals can use to commit various crimes.

An IRS urgent alert

In February 2017, the IRS issued an urgent alert to call attention to the two-edged scam. The agency also said that W-2 phishing scam attacks had spread from the corporate world to other sectors, including school districts, tribal organizations, and nonprofits.

In its alert, the IRS said organizations who receive a W-2 scam email should forward it to and place “W2 Scam” in the subject line. Whether victimized or not, organizations should also file a complaint with the Internet Crime Complaint Center (IC3), operated by the Federal Bureau of Investigation.

Be careful with online “tax” searches

One other tip from the IRS in its alert—Be leery of using search engines to find technical help with taxes or tax software. Selecting the wrong link could lead to an infected computer or possible loss of data.

No doubt, email phishing attacks will continue and evolve, for no other reason than they’re relatively simple to execute. And even if only a small percentage of attacks actually pay off for cybercriminals, that payoff can be big—doubly so if an organization falls victim to both the W-2 and wire-transfer scams.

Be careful out there—and remind your favorite organizations that they should also be careful.

Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Start your protection,
enroll in minutes.