It is February. Tax season is ramping up. Accountants are busier. Bookkeepers are pulling reports. Everyone is thinking about W-2s, 1099s, and deadlines.

What rarely makes it onto the calendar is the first real tax-season headache.

It usually is not a form.
It is a scam.

And there is one that shows up early every year because it is easy, believable, and aimed directly at small businesses. It may already be sitting in someone’s inbox.

 

The W-2 Scam and How It Works

The setup is simple.

Someone in your company, usually payroll or HR, receives an email that looks like it came from the CEO, owner, or a senior executive.

The message is short and urgent:

“I need copies of all employee W-2s for a meeting with the accountant. Can you send them as soon as possible? I am slammed today.”

The tone sounds right.
The timing feels normal.
The request seems reasonable.

So the employee sends the W-2s.

The problem is that the email did not come from leadership. It came from a criminal using a spoofed address or a look-alike domain.

Now that criminal has every employee’s:

  • Full legal name
  • Social Security number
  • Home address
  • Salary information

Everything needed for identity theft and fraudulent tax filings.

 

What Happens After the W-2s Are Sent

Most businesses do not discover the problem right away.

They find out when employees file their tax returns and receive a rejection notice stating that a return has already been filed using their Social Security number.

Someone else claimed the refund.
Someone else got the money.

Now employees are dealing with the IRS, credit monitoring, identity theft protection, and months of paperwork because of a document they never knew was compromised.

Multiply that by your entire payroll.

This is not just a cybersecurity issue.
It becomes an HR crisis, a trust issue, a potential legal problem, and a reputational hit that is hard to undo.

 

Why This Scam Works So Well

This attack is effective because it blends in perfectly with normal business activity.

It works because:

  • February is prime time for W-2 requests
  • The request itself is routine and believable
  • The urgency feels normal during tax season
  • Criminals research names, titles, and vendors
  • Employees want to be helpful, especially to leadership

Urgency overrides verification, and one quick reply causes lasting damage.

How to Protect Your Business Before This Happens

The good news is that this scam is preventable. It requires clear rules and a culture of verification more than advanced technology.

Here are five steps every small business should take now.

  1. Create a “No W-2s via Email” Rule

W-2s and payroll documents should never be sent through email attachments. No exceptions.

If someone requests them by email, even if it appears to be the CEO, the answer is no.

 

  1. Verify Sensitive Requests Using a Second Channel

Any request involving employee data must be verified through a phone call, in-person conversation, or internal chat.

Use a phone number you already trust, not one included in the email.

Thirty seconds of verification can prevent months of cleanup.

  1. Hold a Short Tax-Scam Awareness Huddle

Do not wait until March.

Spend ten minutes now reminding payroll and HR teams what these scams look like and what to do when they see them.

Awareness is one of the cheapest and most effective defenses.

  1. Lock Down Payroll and HR Systems

Enable multifactor authentication on all systems that handle employee data.

If credentials are stolen, MFA often stops the attacker at the final step.

  1. Reward Verification Instead of Speed

Employees should never feel embarrassed for double-checking a request, even if it appears to come from leadership.

When verification is encouraged, scams lose their power.

The Bigger Picture for Tax Season

The W-2 scam is usually just the beginning.

Between February and April, businesses should expect:

  • Fake IRS payment notices
  • Phishing emails posing as tax software updates
  • Messages impersonating accountants
  • Invoices timed to look like tax-related expenses

Businesses that get through tax season clean are not luckier. They are prepared.

 

Is Your Business Ready for Tax-Season Scams

If your team already has clear policies and knows what to watch for, that is a strong position to be in.

If not, now is the time to act, not after the first incident.

If this does not sound like your business, there is a good chance you know one it does. Sharing this article could save them a very expensive headache.