CUNA Mutual Group Risk Alert: W-2 Phishing Scams Resurface

The Internal Revenue Service (IRS) is warning employers to educate human resources and payroll personnel about phishing scams involving W-2s. The phishing scam attempts to trick employees into sharing W-2 information. Fraudsters can use employees’ sensitive information to file fraudulent tax returns as well as commit other forms of identity theft.

The IRS is warning businesses of a phishing scam where a company executive’s email is compromised or spoofed. The phishing email is sent to employees in payroll or human resources requesting copies of W-2s for all employees. The fraudster tactics are similar to those used in the CEO email fraud scam, also known as business email compromise.

The criminals research organizational structures to determine who to target with these emails. These fraudulent emails initially may start out friendly - such as “how are you today” - before asking for W-2’s or sensitive data such as all employee names, addresses, Social Security numbers, incomes, etc.

Fraudsters use the information to file fraudulent tax returns as well as selling on the dark web. It can be days or even weeks before you’ve fallen victim to the phishing scam. The IRS suggests that if you receive a phishing email, notify them at and use “W2 Scam” in the email subject line.

Risk Mitigation
Credit unions should consider:

  • Educating payroll and HR employees to be aware of this scam and to report it if received. Employees should not respond to the request.
  • Creating a policy to limit the number of employees, who have authority to handle Form W-2 requests. Require additional verification of the sender before responding.
  • Reinforcing good data security practices and employee behavior through security awareness training that addresses risks associated with phishing and malware infection.
  • Do not disclose your employees’ email addresses or the credit union’s organizational structure on your public Web sites.

Risk Prevention Resources
Access CUNA Mutual Group’s Protection Resource Center at for exclusive risk and compliance resources to assist with your loss control. The Protection Resource Center requires a User ID and password. To learning more, review these resources: