Some employees in HR or payroll may not think twice about responding to an email from senior management requesting employee data or payroll records.

Not so fast. Is that email really from a C-suite executive? Just because it looks like it’s from upper management doesn’t mean it really is.

The IRS has issued alerts to all employers that the Form W-2 email phishing scam has returned this tax season and is currently targeting HR and payroll departments at temporary staffing agencies, chain restaurants, healthcare organizations, shipping companies, school districts, and even nonprofits.

According to the IRS, here’s how the scam works: Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it from a senior executive. The email is sent to an employee in HR or payroll, requesting a list of all employee and their W-2 forms.

Last year, an estimated 100 businesses that collectively supported 125,000 employees were victims of these scams. In its effort to prevent more employers from being scammed, the Minnesota Department of Revenue launched a campaign – Stop. Connect. Confirm. – that offers the following tips for any organization.

  • Stop: If you get an email asking you to send employee W-2 or other private/sensitive information, stop to confirm if the request is legitimate before you hit send.
  • Connect: Criminals have perfected techniques to trick you into thinking an email is coming from a person you work with. Connect with the person who sent you the request by phone or by walking over to see them. Do not respond to the email to confirm the sender’s request. The sender could be a criminal, disguising their identity with a fake email address.
  • Confirm: If you confirm a legitimate request, take steps to protect the information before you send it.

Still, there’s more HR can do. According to The National Law Review, HR can develop written policies and procedures or requirements for emailing employees’ confidential tax-related information that it “only be done with 100% confidence that the intended recipient is within the organization and has requested the information.” A good example of a policy may be that a phone call confirmation is required before hitting send. Likewise, employers can also use encryption technology when emailing sensitive employee data.

This scam has the impact of a one-two punch. After receiving employee information, cybercriminals then follow up with a second email to payroll or the comptroller, asking that a wire transfer be made to a certain account. Although this isn’t tax related, the IRS says that the wire scam is coupled with the W-2 scam email and has caused some companies to lose both sensitive employee data and thousands of dollars.

If you receive these fake emails, please forward them to and type W-2 Scam in the subject line. Also file a complaint with the Internet Crime Complaint Center, operated by the FBI.

But if your employees have their Forms W-2 stolen, tell them to log on to the IRS’ website or the Federal Trade Commission’s website for a list of recommended actions. Then they also need to file Form 14039, an Identity Theft Affidavit, if their own tax return is rejected because of a duplicate Social Security Number.

Unfortunately, cybercriminals will continue scamming others until they get caught or the job no longer pays well. Train employees about these scams and enforce your policies so your workers don’t become the next victims.