Phishing for Your W-2: Key Cybersecurity Tips to Avoid Being Caught During Tax Season


Phishing campaigns topped the IRS “Dirty Dozen” List of Tax Scams for 2017. In the previous year, the IRS saw a 400% surge in phishing and malware incidents during tax season, which cost American taxpayers $21 billion. This exclusive article covers what phishing is, who is targeted by tax-related phishing campaigns and how to protect yourself and your business during tax season.

Spearphishing and Phishing and BEC, Oh My!

Before we dive into specific tax related phishing campaigns, let’s first define phishing. In its simplest form, phishing is a type of social engineering in which an attacker crafts an email, posing as a well-known company or person, to gain a victim’s highly confidential information. This personal information includes login credentials, SSNs, credit card numbers, DOBs, and more. A link is typically embedded in the email that redirects an unsuspecting end user to a lookalike login page of a bank or an email web application login. The lookalike page is commonly one or two letters off (a method known as “spoofing” a web domain). For example, www.bankofamerica.com and www.offlce365.com. Both of those domains have simple misspellings that may trick the average eye into thinking it is the legitimate website.

Once a victim enters their credentials, the attacker has access to the username and password, while redirecting the victim to the legitimate site. Phishing is also a vehicle for attackers to deliver malware, including ransomware onto a computer. Tax-related phishing is similar to normal phishing but the primary goal is to steal W-2s to commit income tax fraud.

Tax-related phishing is most commonly achieved through Business Email Compromise (BEC). BEC is a more targeted form of phishing (spear phishing). In a BEC, the attacker will impersonate a C-Suite executive within the company—typically the CEO or CFO. A BEC begins with an attacker successfully gaining access to an executive’s email inbox, usually through spear phishing or keylogging malware. With access to the executive’s account, the attacker monitors activity to identify potential targets such as the persons responsible for performing financial transactions. With potential victims identified, the attacker will now send an email pretending to be from the executive to get an employee, customer, or vendor to transfer funds or sensitive documents. With respect to tax fraud, a successful BEC would look as follows:

Who’s the target and who’s the impersonator?

Attackers will pose as company executives and authorities at federal tax organizations. Typically, the tone of the phishing email will spread fear, uncertainty and doubt to the victim. Tax phishing, just like other forms exploits common human emotions. Emails may threaten with legal action, claiming the recipient’s company misfiled their taxes or some many offer fake tax funds.

Steps to take if you receive a Phishing email.

  • Always trust your instincts. If the email seems “phishy,” it usually is
  • Verify the sender. If the email claims to be your boss or someone of authority in your company, take a walk over to their desk or call to confirm
  • Hover over the sender’s email address. Their name might be correct but when you hover, over it may reveal a suspicious email
  • Check for grammar. Grammatical errors can be a telltale sign of a hacker—known entities are typically more careful with these details
  • Confirm the Site. Ensuring the website URL is correct, including sites claiming to be government agencies or tax software companies, is an easy way to spot a lookalike webpage
  • Consider the source. Tax-related government agencies do not contact you via email, social media, or text message
  • Bookmark tax related sites. “Favoriting” websites you frequently visit leaves less room for error and ensures that you visit the legitimate website
  • Check before you click. Consult with your IT Department if you are concerned about a suspicious email, and avoid clicking any links

What if you DO click the link?

  • It’s better to be safe than sorry. Immediately contact your IT security team if you think handed over your network credentials due to phishing. Then, change your credentials as soon as possible
  • Check for malware. Have your IT team examine your laptop for malicious software that may have been downloaded as a result from clicking the link
  • Prevent fraud. Contact the IRS if W-2 forms were sent to an attacker

Know the individual steps you can take to protect your personal finances, and breed a corporate culture that champions cybersecurity best practices echoed from the top down. It is critical for companies to conduct internal and ongoing phishing assessments to address any gaps in employees’ ability to identify and mitigate phishing emails. While cyber attackers feed on fear, always remember that education will beat any sophisticated phishing email.

For more information on how to safeguard your personal and business’s financial information during tax season, contact our cybersecurity advisors.

Message Us 212.842.7000







Sign up for Our Blog!

* All fields are required




By choosing to submit data, you are agreeing to the storage and usage of your contact information to deliver the requested services.