Skip to main content

Protect Your Company Against W-2 Business Email Compromise Attacks During Tax Season

January 29, 2019

The most likely “cyber attack” that your company will face will come in the form of an email. One of the most common forms of email attack is the business email compromise (BEC) and the most popular time of the year for the W-2 version of BEC is right now — tax season.

What is a W-2 BEC Attack?

A BEC attack is when the attackers send emails disguised as coming from high-level executives within a company, such as the CEO, to lower level personnel requesting that W-2s for employees be provided by return email. While the email looks identical to the executive’s email, it is coming from — and then returned to — the criminal, not the executive, along with the W-2s.

The company now has experienced a serious data breach and must comply with certain legal requirements. Worse yet, the company’s employees’ sensitive personal information has been given to the attackers and they have this problem to worry about instead of performing their job. The disruption is substantial in their personal lives and in your company.

How Do Attackers Use the W-2 Information?

In most cases, once the attackers have that W-2 information, they use it to attempt to file fraudulent tax returns for those employees and have their tax refunds sent to them instead of the employee. They also use it for traditional identity theft.

The attackers act very quickly once they have this information. We have assisted companies in cases where the attackers were attempting to file such tax returns on the same day they obtained the W-2 information from the company. Time is truly of the essence in responding to these attacks.

Why Do So Many of These Attacks Happen During Tax Season?

Law enforcement officers and cybersecurity professionals report a drastic increase in these types of attacks during the beginning of each year because it is tax season. This is consistent with what we have seen in helping companies with these cases in past years as well. The reason this type of attack is so common during tax season is because of the tax-related fraud aspect of this type of attack. That is, the attackers monetize their attacks by using the fraudulently obtained information to file fraudulent tax returns and obtain refunds from innocent victims and the sooner they can do this, the better their chances are of getting the refund before the taxpayer files and receives their tax refund.

If your company has not yet been targeted, it is likely that it will be very soon so it is important to be prepared.

What Can You Do Now to Protect Your Company?

1. Educating your employees is critical because they will be the ones who receive the emails from the attackers.

  1. Make them aware of this issue by sharing this Alert with them so that they understand what this threat, how it works, and how it could affect them personally.
  2. Train them by having appropriate personnel discuss this threat with them and help them understand that they should be very suspicious of any requests to email out anything of this nature (or make payments, such as with the very similar wire transfer version of the BEC).

2. Have appropriate internal controls in place to protect against these types of attacks. Examples of such internal controls are:

  1. Limit who has access to your company’s W-2s and other sensitive information as well as who has the authority to submit or approve wire payments.
  2. Have established procedures in place for sending W-2 information or other sensitive information as well as for submitting or approving wire payments so that dual approvals are required for these activities.
  3. Require employees to use an alternative means of confirming the identity of the person making the request. If the request is by email, the employee should talk to the requestor in-person or call and speak to the requestor using a known telephone number to get verbal confirmation. If the request is by telephone or fax (many times they are), then use email to confirm by using an email address known to be correct to confirm with the purported requestor. Never reply to one of these emails or use a telephone number that is provided in one of these emails, faxes, or telephone calls.

What To Do if Your Company is Hit by this Attack?

1. Immediately contact experienced legal counsel who understands how to guide your company through these incidents and, ideally, has appropriate contacts with law enforcement to assist in reporting this incident quickly.

2. Report the incident to the FBI or Secret Service and appropriate IRS investigators so that the IRS can implement appropriate procedures to protect your employees whose information was exposed in the W-2s.

3. Prepare appropriate notifications to the people whose information was exposed and comply with all legal and regulatory reporting requirements (see Incident Response Checklist).

4. Inform your employees that the IRS will never contact them directly, for the first time, via email, telephone, text message, social media or any way other than through a written “snail mail” letter from the IRS.

This blog post was drafted by Shawn Tuma, a Partner in the Dallas – Collin County, TX office of Spencer Fane LLP. For more information, visit