It’s February. Tax season is ramping up. Your accountant is getting busier. Your bookkeeper is pulling documents. Everyone is thinking about W-2s, 1099s, and deadlines.
Here’s the part nobody puts on the calendar: the first real tax-season headache usually isn’t a form. It’s a scam.
And there’s one that shows up well before April because it’s easy, believable, and aimed directly at small businesses. You may already have it sitting in someone’s inbox.
The W-2 Scam: How It Works
The setup is simple.
Someone in your company—usually whoever handles payroll or HR—gets an email that looks like it came from the CEO, owner, or another senior executive.
The message is short and urgent.
“Hey, I need copies of all employee W-2s for a meeting with the accountant. Can you send them over ASAP? I’m slammed today.”
It looks normal. The tone feels right. Tax season is busy, so the urgency doesn’t feel out of place. The request itself seems completely reasonable.
So the employee sends the W-2s.
Except the email didn’t come from the CEO. It came from a criminal using a spoofed address or a look-alike domain.
And now that criminal has every employee’s:
- Full legal name
- Social Security number
- Home address
- Salary information
Everything needed for identity theft. Everything needed to file fraudulent tax returns before your employees even start theirs.
What Happens Next
This is how most businesses discover the problem.
An employee files their tax return. It gets rejected with a message saying a return has already been filed for that Social Security number.
Someone else already filed in their name. They already claimed the refund. The money is gone.
Now that employee is dealing with the IRS, credit monitoring, identity theft protection, and months of paperwork because of a document they didn’t even know had been sent.
Multiply that by your entire payroll.
Now imagine explaining to your team that their personal information was compromised because someone responded to what looked like a routine internal email.
That’s not just a security issue. It’s a trust issue. It’s an HR nightmare. It can turn into legal exposure. And it damages confidence in leadership.
Why This Scam Works So Well
This isn’t an obvious scam. It doesn’t look fake at first glance.
It works because the timing is perfect. W-2 requests are expected in February, so nobody questions why someone would ask for them.
The request is reasonable. It’s not a wire transfer or gift cards. It’s something that really does get shared during tax season.
The urgency feels normal. “I’m slammed today—can you send this quickly?” doesn’t raise alarms in a busy office.
The sender looks legitimate. Criminals research their targets. They know who the CEO is. Sometimes they know your accountant’s name. They make it convincing because they’ve done their homework.
And employees want to be helpful—especially when a request appears to come from leadership. Urgency often overrides verification.
How to Protect Your Business Before This Lands
The good news is that this scam is very preventable, and it relies more on clear rules and culture than expensive technology.
First, establish a strict “no W-2s via email” rule. No exceptions. W-2s and other sensitive payroll documents should never be sent as email attachments. If someone asks for them by email—even if it appears to be the CEO—the answer is no.
Second, require verification through a second channel for any sensitive request. A phone call, an in-person conversation, or a direct message using a known contact method is enough. Use a number you already have, not one provided in the email. Thirty seconds of verification can prevent months of cleanup.
Third, hold a short tax-season scam huddle now, not later. Let payroll and HR staff know these scams are about to spike, what they look like, and exactly what to do when they see one. Awareness is inexpensive protection.
Fourth, lock down payroll and HR systems with multi-factor authentication. If credentials get phished, MFA is often the last barrier that stops an attacker.
Finally, make verification part of your culture, not a burden. An employee who double-checks a request from leadership should be supported, not made to feel difficult or paranoid. When questioning is encouraged, scams have nowhere to hide.
Five rules. Simple enough to implement this week. Strong enough to stop the first wave.
The Bigger Picture
The W-2 scam is usually just the opening act.
Between now and April, businesses should expect a surge in tax-themed attacks, including:
- Fake IRS notices demanding immediate payment
- Phishing emails disguised as tax software updates
- Spoofed messages from “your accountant” with malicious links
- Fraudulent invoices timed to look like legitimate tax expenses
Criminals love tax season because people are busy, distracted, and accustomed to financial requests that feel routine.
Businesses that make it through tax season without an incident aren’t lucky. They’re prepared.
They have policies. They train their teams. They put systems in place that catch suspicious requests before they turn into real damage.
Is Your Business Ready?
If your team already knows what to look for and your policies are clearly defined, that’s great. You’re ahead of most small businesses.
If not, now is the right time—not after the first scam hits.
If this sounds like your business, book a 10-minute discovery call and we’ll review:
- Payroll and HR access controls
- MFA coverage
- W-2 handling and verification rules
- Email protections that detect spoofing
- The policy gap most businesses don’t realize they have
If it doesn’t sound like you, there’s a good chance you know a business owner it does sound like. Forward this article to them. It could save them a very expensive headache.
Book your 10-minute discovery call here
Because tax season is stressful enough without identity theft on top of it.
