Creative Resources Technology Group

What Is the W-2 Email Scam, and How Do You Stop It?

February 9, 2026

The W-2 email scam fakes a message from your CEO asking payroll to send every employee's W-2. The fix is a flat policy: never email W-2s, and verify the request by phone first.

The first tax-season attack on most small businesses isn't a tax form. It's a fake email from the boss asking payroll to send over everyone's W-2s. It works because in February that request looks completely normal, and one of these emails may already be sitting in an inbox at your company.

How the W-2 scam actually works

Someone on your payroll or HR team gets an email that looks like it came from the CEO, the owner, or another senior person. It's short and a little rushed:

"I need copies of all employee W-2 forms for an upcoming accountant meeting. Can you send these right away? I'm swamped today."

Nothing about it feels off. The tone fits a busy week, the ask is one people field all the time in February, so the employee sends the W-2s. The email wasn't from the CEO. It came from a criminal using a spoofed address or a lookalike domain.

Now that person has, for every employee, the full legal name, Social Security number, home address, and salary. That's everything you need to steal an identity or file a fraudulent tax return before the real employee does.

What happens after the W-2s go out

The employee usually finds out when their own return gets rejected: a return has already been filed for this Social Security number. Someone else filed in their name, claimed the refund, and got paid.

From there it's months of cleanup: the IRS, credit monitoring, identity theft protection, and a stack of paperwork, all from one email that should never have been trusted. Multiply that across your whole payroll, then picture telling your staff their personal data is out because of a phishing email.

This goes well past a security problem. It breaks trust, it turns into an HR mess, it opens you up to lawsuits, and it follows your reputation around.

Why it fools smart people

This isn't a sloppy scam email with bad grammar and a Nigerian prince. A few things make it land:

  • The timing is perfect. W-2 requests are routine in February, so no one blinks.
  • The ask is plausible. It's not a wire transfer or a gift card. It's real documents people share at this time of year anyway.
  • The urgency reads as a normal busy day, not a red flag.
  • The sender looks real. Attackers do their homework and use the right executive names, sometimes your accountant's too.
  • People want to help the boss, fast. Speed wins, and the verification step gets skipped.

Five rules that stop it

Good news: this one is preventable, and it's mostly about policy and habits, not expensive software.

  1. Never email W-2 forms. No exceptions. Sensitive payroll documents shouldn't leave your systems as email attachments. If a request comes by email, the answer is no, even when it looks like it's from your CEO.
  2. Verify on a second channel. Confirm any sensitive request by phone, in person, or company chat, never by replying to the email. Use a number you already have, not one from the message. Thirty seconds of checking saves months of cleanup.
  3. Brief payroll and HR this week. Ten minutes is enough. Show them what the email looks like, tell them these are spiking right now, and walk through exactly what to do when one lands.
  4. Turn on MFA for payroll and HR. Put multi-factor authentication on every system that holds employee data. If a password leaks, MFA still keeps the attacker out.
  5. Make verifying normal, not rude. Thank people who stop to check a request instead of treating it as distrust. They're your first line of defense.

Five rules, all of them quick to set up, and together they shut down the first wave.

The W-2 scam is just the opener

Expect more tax-themed attacks between now and April:

  • Fake IRS notices demanding payment now.
  • Phishing dressed up as tax software updates.
  • Spoofed emails from your accountant carrying bad links.
  • Fake invoices timed to pass as real tax expenses.

It all rides on the same thing: tax season is rushed, and money requests look routine. The businesses that get through clean aren't lucky. They have policies, a trained team, and systems that flag the weird stuff before it does damage.

Are you ready for it?

If your policies are tight and your team knows the signs, you're already ahead of most small businesses. If not, fix it now, before the first email shows up.

We offer a free 15-minute Tax Season Security Check. We'll go over your payroll and HR access controls and MFA, how you verify W-2 requests, how well your email holds up against spoofing, and the one policy change a lot of businesses miss.

Already covered? Good. Pass this to another owner who isn't. It might save them a very expensive spring.

Curated for you

Keep reading

  1. What Does FileVault Protect, and Should You Turn It On at Work?

    FileVault encrypts the drive on every Mac, so a lost or stolen laptop doesn't hand over your files. Turn it on, store the recovery key somewhere safe, and you've closed one of the easiest data leaks in any office.

    Jun 4, 2026Read piece →

  2. Why Does Every Task Take Longer Than It Should? Usually It's Your Tools

    When work drags, the cause is rarely your team. It's almost always friction in your tools: apps that can't talk to each other, slow Wi-Fi, and tangled access. Here's how to find and fix the three most common ones.

    Feb 23, 2026Read piece →

  3. How do you use AI in a small business without making a mess?

    Pick one or two repetitive tasks, let AI draft while a person approves, and never paste customer or financial data into a public tool. That combination saves real hours and keeps your data off someone else's servers.

    Feb 16, 2026Read piece →
Blog

Want help applying ideas like this?

Fifteen-minute discovery call. No commitment. We'll map practical next steps for your Apple environment.

Book a call → or call 877 · MACS · 911