Phishing Attackshigh

IRS Phishing: $5.8 Billion Lost Annually to Tax Season Email Fraud

Annual IRS impersonation phishing campaigns steal billions by convincing employees to wire "outstanding tax payments" and harvesting W-2 forms containing the SSNs and income data of every employee at targeted companies.

US Businesses / IRS Impersonation·2015·2 min read

Background

Tax season creates predictable anxiety about compliance. Attackers exploit IRS branding and urgency to conduct two distinct fraud types: BEC campaigns targeting payroll staff to obtain W-2 data, and direct impersonation demanding immediate wire transfer for alleged tax debts.

The Attack

BEC W-2 attacks: attackers impersonate a CEO emailing HR or payroll staff requesting "a copy of all W-2 forms for our employees" before April 15. The forms contain every employee's name, SSN, and income — sufficient for identity theft and fraudulent tax return filing. Hundreds of school districts, hospitals, and companies have fallen victim. Direct IRS fraud: mass phishing emails impersonate the IRS with urgent notices of unpaid taxes, threatening arrest or asset seizure unless immediate payment is made via wire transfer or gift cards. The IRS never contacts taxpayers by email — but millions do not know this.

Response

The IRS publishes the "Dirty Dozen" list of common tax scams annually. The agency has a dedicated phishing reporting address (phishing@irs.gov). Many organisations now prohibit W-2 requests via email without verbal verification. State attorneys general have pursued some perpetrators.

Outcome

The IRS estimates $5.8 billion is lost annually to all forms of tax fraud including phishing. W-2 BEC attacks affected over 200 organisations in 2017 alone, exposing the records of hundreds of thousands of employees whose identities were used to file fraudulent returns.

Key Takeaways

  1. W-2 and sensitive HR data requests via email must always be verified by phone to the requestor's known number
  2. The IRS never contacts taxpayers by email — any such contact is fraudulent
  3. Train payroll and HR staff specifically on W-2 BEC attacks before tax season each year
  4. File taxes early to pre-empt fraudulent returns filed with stolen SSNs

How to Prevent This

All guides
beginner

Protect W-2 forms and employee personal data from email-based requests

W-2 BEC attacks specifically target HR and payroll staff with emails impersonating executives requesting "a copy of all employee W-2 forms." The forms contain every employee's Social Security number and income data — sufficient to file fraudulent tax returns on their behalf. These attacks peak in January–April before the US tax season. The defence: establish a policy that W-2 data, payroll records, and employee SSNs are never transmitted via email regardless of who requests them. Any such request must be fulfilled through an internal HR system with audit logging, never as an email attachment.

See: IRS Tax PhishingSocial Engineering Defence
IRS impersonationW-2 fraudBECtax fraudidentity theft

More in Phishing Attacks

2015critical

Anthem Health: 78 Million Patient Records and a Single Phishing Email

2 min readPhishing Attacks
2022high

Okta Breach: The Identity Provider That Protects Everyone Gets Compromised

2 min readPhishing Attacks
2010critical

Operation Aurora: China's Spear-Phish Against Google and 34 Companies

2 min readPhishing Attacks