It’s February. Your accountant’s calendar is filling up. Payroll is pulling W-2s. Everyone’s in tax mode.

And scammers know it.

There’s one scam that shows up before April even hits—because it’s simple, believable, and aimed straight at small businesses. It might already be sitting in someone’s inbox.

The W-2 Scam: Dead Simple, Massively Damaging

Here’s how it plays out:

Your payroll or HR person gets an email that looks like it’s from you (the owner) or another senior exec.

“Hey, I need copies of all employee W-2s for a meeting with the accountant. Can you send them ASAP? I’m slammed today.”

Sounds normal. Timing makes sense. The urgency feels typical for tax season.

So they send the W-2s.

Except that email wasn’t from you. It was from a criminal using a spoofed address or look-alike domain.

Now they’ve got every employee’s:

  • Full legal name
  • Social Security number
  • Home address
  • Salary information

Everything needed to file fraudulent tax returns in your employees’ names before they do.

How Your Employees Find Out

They file their return. It gets rejected.

“Return already filed for this Social Security number.”

Someone already filed. Already claimed the refund. Already got paid.

Now your employee is dealing with the IRS, credit monitoring, fraud alerts, and months of paperwork to fix something they didn’t even know was stolen.

Multiply that by your entire staff. Then imagine the conversation where you explain how it happened.

That’s not just a security problem—it’s a trust problem. An HR nightmare. Potentially a lawsuit. Definitely a reputation hit.

Why This Actually Works

This isn’t some obvious spam email. It works because:

The timing is perfect. W-2 requests are expected in February. Nobody questions it.

The request is reasonable. It’s not “wire $50,000 to this account.” It’s something that actually gets shared during tax season.

The urgency feels normal. Everyone’s busy. “Can you send this quick?” doesn’t raise flags.

The sender looks legitimate. Criminals research targets. They know names. Sometimes they know your accountant’s name. They do their homework.

Employees want to help. Especially when “the boss” asks. Urgency overrides verification every time.

Five Rules to Stop This Before It Happens

The good news: this is completely preventable. It takes clear policy more than expensive technology.

1. No W-2s via email. Ever.

Period. Full stop. No exceptions—even if it looks like the request came from you. Sensitive payroll documents don’t leave your building through email attachments.

2. Verify every sensitive request in a different channel

Got an email asking for employee data? Pick up the phone. Walk down the hall. Use a number you already have—not one in the email. Takes 30 seconds. Saves months of cleanup.

3. Have the conversation today

Don’t wait until “closer to April.” Pull your payroll and HR people aside right now. Ten minutes. Show them what these emails look like. Tell them what to do when one lands. Awareness is cheap insurance.

4. Lock down access with MFA

Multi-factor authentication on anything that touches employee data. If someone’s credentials get phished, MFA is the last door between a criminal and your payroll system.

5. Make verification part of your culture

The employee who calls to double-check a request from you should be praised—not made to feel paranoid. When questioning is rewarded, scams die at the door.

This Is Just the Opening Act

The W-2 scam is early. Between now and April, expect a flood of tax-themed attacks:

  • Fake IRS notices demanding immediate payment
  • Phishing emails disguised as tax software updates
  • Spoofed messages from “your accountant” with malicious links
  • Fraudulent invoices timed to look like tax expenses

Criminals love tax season. Everyone’s distracted, moving fast, and financial requests feel normal.

Businesses that get through clean aren’t luckier. They’re prepared.

They have policies. They have trained teams. They have systems that catch suspicious requests before they become disasters.

Is Your Team Ready?

If you’ve got policies in place and your team knows what to watch for—great. You’re ahead of most.

If not, now’s the time. Not after the first scam hits.

We’re running 10-minute security checkups this month to help DC-area businesses get ahead of tax season scams. We’ll review:

  • Payroll/HR access and MFA setup
  • W-2 verification protocols
  • Email protections that catch spoofing
  • The one policy gap most businesses miss

Book your 10-minute checkup here

If this doesn’t apply to you but you know a business owner who needs it—forward this along. It might save them a very expensive headache.

Because tax season is stressful enough without identity theft on top of it.