Stopping Scammers from Phishing HR and Payroll Personnel for W-2s and Other Private Employee Data


Nothing is certain except death and taxes—and phishing scams every tax season. "Phishing" is defined as identity theft taking place over the Internet. According to the IRS, phishing and malware incidents rose 400 percent in the 2016 tax season. Based on recent IRS alerts, these incidents have not diminished in the 2017 tax season. Both this year and last year, the IRS has discovered phishing schemes targeting tax professionals, payroll workers, human resources personnel, schools, individual taxpayers, and more.

Phishing Schemes Involving HR and Payroll Professionals
The IRS recently issued an alert to payroll and human resources professionals about phishing emails. These emails, purporting to be from company executives, request personal information about employees. Recipients who believed the emails to be trustworthy official communications have sent the scammers payroll data such as W-2 forms and employees’ social security numbers.

This type of phishing expedition, in which a scammer’s email is disguised as coming from a source the receiver knows and trusts, is called "spoofing." But it is no joke. The scammers’ goal is to collect money, passwords, social security numbers, and other information that can lead to identity theft, or to infect the recipient’s computer with malware that gives the scammer access to sensitive files or allows him to track keyboard strokes that expose login information.

Reacting to Suspicious Emails
If a recipient of an email purporting to be from a company executive is unsure about its legitimacy, she should check the sender’s email address against the email address in her records. Often, the fake email may have a missing or added period or letter. If the address is exactly the same, the recipient should call the executive to verify the email.

Generic requests for information should set off alarm bells. Fraudulent emails often are not personalized; many phishing emails begin with "Dear Sir/Madam."

Confidential information should not be submitted via forms embedded within email messages.

If there is any doubt as to the authenticity of links in an email purporting to connect to a website, the recipient of the email should open a new browser window and type the URL directly into the address bar. provides guidance to people who unwittingly clicked on a malicious email link or downloaded an attachment containing malware.

Ten Suggestions for Defending Against Phishing Attempts

  1. Companies that are not legally required to maintain unredacted W-2 forms may black out all but the last four digits of employees’ social security numbers on the forms.
  2. Only key personnel should have access to employees’ private information. Furthermore, their ability to copy and send this information should be restricted.
  3. All sensitive information should be encrypted.
  4. Computers should be protected with firewalls and anti-virus and anti-spyware software.
  5. Email filters may be used to block attachments or certain file types, strip URLs from messages, analyze sender domains, and perform Natural Language Processing to detect phishing.
  6. Domain whitelisting (allowing emails from certain sources) can prevent attacks with unknown domains or IP addresses.
  7. Outbound filtering may be used. SSL decryption can analyze outgoing emails to ensure sensitive information is not being sent.
  8. Security programs should be deployed on any devices employees use to send and receive company email.
  9. Employees should be trained regularly in recognizing and combating phishing scams.
  10. Companies may send fake e-mails to their employees to test their vulnerability to phishing scams.

Where to Report Email Scams
The FTC requests that phishing emails be reported here:

The IRS recommends forwarding phishing emails to and forwarding emails with malware that have not been clicked on or downloaded to

Legal Assistance
If you have any questions about your organization’s data security or privacy issues, please contact us at (562) 653-3200.



Related Practice Areas

Back to Page

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Privacy Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.