IRS Warns Human Resource Professionals to Watch Out for New W-2 E-mail Phishing (“Spoofing”) Scheme



By: James M. Reid


The Internal Revenue Service (“IRS”) has alerted human resource professionals to a new phishing scheme designed to get employee W-2 information that contains social security numbers and other personally identifiable information.  (  The scheme is referred to as “Spoofing.”

How does it work?  Human Resource Professionals will typically receive an e-mail that will contain the actual name of the employer’s Chief Executive Offer (“CEO”) or President (however if you took the time to click on the e-mail address you would discover that it was not the employer’s e-mail address).  The information is typically used for identify theft purposes.  According to the IRS, the e-mail frequently contains variations of the following statements:

  • “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me the list of W-2 copy of employees’ wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

What steps should I consider taking to keep employee information secure? 

  • Prepare a social security privacy and record retention policy.
  • Remove personally identifiable information from documents before sharing.
  • Receive professional training about how to keep employee information secure.
  • Do not produce personal information electronically until you receive approval by meeting with the CEO/President.
  • Use security software that updates automatically.
  • Protect employee personal information like it is cash.
  • Use a spam filter that sends yahoo, gmail, aol e-mails to a junk folder until you verify that you know the sender.
  • Don’t open attachments unless you know the sender.

A client of mine recently became a victim of this scheme.

What steps should I consider taking if I fall victim to this scheme? 

  • Immediately notify employees and provide them with an IRS Form 14039-Identify Theft Affidavit.
  • Instruct employees to check credit reports.
  • Offer employees a monitoring service.
  • Provide professional training about how to keep employee information secure.
  • Consult an experienced legal advisor.
  • Determine if the employer has insurance that covers this situation. 

Failure to: (1) protect personally identifiable information; (2) immediately notify employees of the release of such information; and/or (3) take corrective action exposes the employer to liability.  Before falling victim to the Spoofing scheme, employers should consult with an experienced employment attorney to confirm that employees’ personally identifiable information is being protected in accordance with State/Federal law and best practices. 

This article was written by JAMES M. REID, a member of the Legal Affairs Committee of Detroit SHRM, a Resource Partner and Director of MISHRM, and a shareholder of the law firm of Maddin Hauser Roth & Heller PC located in Southfield, Michigan. He can be reached at (248) 351-7060 or 

Detroit SHRM encourages members to share these articles with others, inside and outside their organization, as long as its name and logo, and the author’s information, is included in the re-post of the article. March 2016.