Privacy Alert: Latest Phishing Scheme Targets W-2s

Privacy Alert: Latest Phishing Scheme Targets W-2s

A new “spear-phishing” scheme is active that targets employees, including Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs), in an attempt to obtain employee personal information and other data.

In a recent case involving a medium-sized company with offices in several states, hackers used a system that mimics employer email addresses to obtain employee W-2s, birth dates, and other information. Specifically, two email requests for 2015 W-2s and employee names and birth dates, which appeared to be from the CEO, were received by a company’s Human Resources department. HR complied with the fake email request and personal information of the entire 2015 workforce was inadvertently disclosed. The company had experienced a prior attempt when HR received a strange email from the CEO’s email address, which HR disregarded as a mistake. The successful attempt followed about a week later. Several employees in the affected company discovered misuse of their information following the breach, including falsely filed tax returns.

W-2s contain sensitive personal information such as Social Security numbers and full names and addresses, which can be sold or used for identity theft and financial fraud.  The W-2’s in particular give an identity thief almost everything needed to commit tax fraud.

The ease with which the hackers obtained the information is a reminder to all businesses to review their internal data privacy practices and implement reasonable safeguards. Companies can reduce the risk of this latest scam by encrypting all personal information before it is transmitted electronically and by training employees, particularly Human Resources and other employees with access to personal information, that any email request for personal information be followed up in person or by phone to confirm the request was legitimate before sending any personal information.  

In the event of a breach, companies should seek legal counsel immediately to develop a breach response plan. State law governs the contents and timing of breach disclosure notices to affected individuals, and notification to state authorities may also be required.

For more information, please contact Christine Zebrowski at [email protected] or (202) 425-6711.


This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.

Subscribe to Our Blog