Email Security Blog

Tax season is open – and W-2 scammers are back in force

Agari February 2, 2018 Cybercrime

With the 2018 US tax filing season now open, the race is on to submit your taxes before it becomes a mad scramble through a pile of receipts in early April. Now however, there’s one more reason to submit quickly – getting there before a cunning cyber criminal beats you to it.

Fraudsters are increasingly targeting businesses with deceptive emails to steal the W-2 forms of their employees. The criminals can then sell the data, which includes Social Security numbers, salaries and personal information, on the dark web for a quick profit, or use the information to conduct social engineering attacks on the victim. In a new twist, criminals have even been completing and submitting tax returns on behalf of the victim – and then claiming their tax refunds for themselves. The first the victim usually knows about it is when they go to submit their own returns, only to be told they have apparently already done so.

The W-2 scam is on the rise, with the IRS recently stating it received 900 reports from businesses in 2017 – up from just 100 in 2016. Over 200 organizations fell prey to the attacks, with hundreds of thousands of individuals having their details stolen as a result.


The attacks themselves are a variation on the dangerous Business Email Compromise (BEC) scam, which the FBI reports have cost more than $5B between 2013 and 2016 alone. The scammers will research the target organization to discover who handles its payroll, and then impersonate a senior executive over email to request the W-2 forms for all staff.

Get the BEC Attack Trends Report

In BEC scams, more competent criminals can create very convincing deceptive emails which are almost indistinguishable from the real thing, disguising key signifiers such as the sender name, return address and IP address. Because the attack is impersonating a trusted authority within the company, many payroll employees will simply follow through with the request without a second thought.

Payroll staff should be made aware of the increased likelihood of deceptive emails requesting W-2 forms during the tax season, and companies should also implement stricter policies around sharing confidential data. However, firms should not rely on staff to catch everything, as well-crafted fraudulent emails can be indistinguishable from the real thing.

Instead, businesses should safeguard their employee’s W-2 forms by preventing deceptive emails from ever reaching their intended targets – and this is where Agari can help. Unlike most solutions which attempt to spot signs of malicious emails, Agari Enterprise Protect draws on analysis from more than two trillion emails each year to create a model of what a good email looks like. Armed with this intelligence, the solution is able to identify and block fraudulent emails with an unparalleled degree of accuracy.

Organizations that have already suffered W-2 theft should contact the IRS immediately at, as there is a chance the IRS can take steps to prevent employees from becoming tax fraud victims. Those that have been contacted by fraudsters but spotted the scam can also notify the IRS at More guidelines and support from the IRS are available at the IRS website.

With the W-2 scam looking to become even more widespread in the 2018 tax filing period, organizations need to work quickly to protect their employees from tax fraud. In the meantime, it’s time for citizens to put their tax returns on the top of their to-do list.

For more information from Agari and the SANS Institute on fighting targeted email threats such as BEC, view our webinar.

Watch the BEC Webinar

Agari Blog Image

May 18, 2021 Crane Hassold

Cyber Threat Intelligence: How to Stay Ahead of Threats

Generally defined, cyber threat intelligence is information used to better understand possible digital threats that…

Agari Blog Image

August 13, 2019 Crane Hassold

The “I’s” Have It: How BEC Scammers Validate New Targets with Blank Emails

Have you ever received a blank email from someone you don’t know? If you have,…

Agari Blog Image

July 23, 2019 James Linton

Weaponizing Accounts Receivable: How Scammers Use Aging Reports to Target Your Customers

Receipts and invoices—two accounting powerhouses that require little introduction. But step a little further into…

Agari Blog Image

July 10, 2019 Ronnie Tokazowski

‘Til Death Do Us Part… Romance Scams and the BEC Game

When we think of business email compromise (BEC), the first thing that comes to mind…

Agari Blog Image

June 5, 2019 Crane Hassold

From One to Many: Scattered Canary Evolves from One-Man Startup to BEC Enterprise

There is no denying that business email compromise (BEC) is big business, with losses exceeding…

mobile image