W-2 Tax Season Starts Early for Hackers

December 21, 2017

Hackers are on the prowl! With an increase in traffic of W-2 information in order to meet Internal Revenue Service deadlines, now is the time of year when hackers target organizations. Hackers seek out W-2 information because it provides valuable information such as an employee’s name, social security number, and address which allow them to impersonate an individual for financial gain. This past year has seen a rise in W-2 information theft, which poses a risk to all organizations. Since 2013, W-2 information thefts have resulted in losses in excess of $740 million.[1] 

The scheme itself is simple. Data thieves send an email impersonating a high level employee, such as a CEO or CFO, requesting the recipient send the requested W-2 information. The email typically indicates there is an urgent need for the information. Not wanting to question a high-level employee, as well as the urgent nature of the email, the recipient employee sends the W-2 information. Once obtained, this type of information is often used to file false tax returns, open credit card accounts and otherwise compromise the identity of individuals.   

Preparation and vigilance are key to preventing a W-2 information breach. Organizations should take the following steps to help avoid the theft of W-2 information:

  1. Encrypt. Always send W-2 information in an encrypted and secure manner.

  2. Access. Limit access to W-2 information to only necessary employees.

  3. Policies & Procedures. Establish policies and procedures regarding the transmittal and handling of W-2 information.

  4. Verify. Direct employees to verify the authenticity of all W-2 information requests.

  5. Redact. Only provide employees with information necessary to their job function.

  6. Assess. Conduct vulnerability assessments to evaluate your organization’s risk.

  7. Practice. Conduct tabletop exercises to practice implementation of your incident response plan.

  8. Update. Make sure network security is up to date.

  9. Review. Review and update your incident response plan.

  10. Training. Train employees on applicable policies and procedures and incident response plan.

Dykema’s privacy and data security team is ready to assist 24/7 and is able to provide remediation services within 24 hours if your organization falls victim to a W-2 information scheme. Our team can also assist with your organization’s data security program, procedures, training, or incident response plans. For more information, please contact Erin Fonté (, Ashley Jackson (, or your Dykema relationship attorney.

[1] Robin Sidel, Identity Thieves Target Employees’ W-2 Tax Forms, MarketWatch, April 3, 2016,

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. © 2021 Dykema Gossett PLLC.