Emerging Threats

Beware of W2 phishing emails targeting employees

Authored by a Symantec employee


With the IRS’s due date of April 18th looming overhead, fraudsters are rapidly trying to cash in on tax refunds. Over the past two weeks, we’ve seen an increase of BEC (business email compromise) fraudster scams involving requests for employee’s W2 taxpayer information. In this scam, the scammer pretends to be a member of upper management, and targets a more junior member of the organization. The phishing email requests that the target send employees’ W2 forms for inspection.

It’s important to realize that these documents contain tax and wage information for employees as well as their social security number, home address and employment location. Once these documents are obtained, the criminals would have everything they need to perform tax refund fraud; effectively stealing tax refunds owed to workers. In addition to tax refund fraud, these documents contain a plethora of information that can help the scammer commit identity fraud as well.

This group sends emails from what appear to be stolen email accounts and match the compromised domain. A different “Reply-to” address is set in the email so that when a victim replies, the reply goes to an account under the attackers’ control, and not to the address it appears to have originated from. In the past 12 days, this group has used at least eight stolen domains for sending emails and has sent over 600 emails to victims.

For W2 fraud, these are some of the email subjects we are seeing:

Subject: Request For All Employees W2s
Subject: Request For All Employees W2s, Monday 29th February, 2016

In addition, employees should keep the following tips top of mind:

  • Be cautious of links and attachments in emails from senders you don’t recognize, or are requesting actions that seem unusual or don’t follow normal procedures. Avoid providing personal information when answering an email, unsolicited phone call, text message or instant message.
  • Additionally, do not reply to any emails that seem suspicious. Obtain the sender’s address from the corporate address book and ask them about the message.
  • Never enter personal information in a pop-up web page or anywhere else that you did not initiate.
  • Keep security software and all other software programs updated.
  • Report security warnings from your Internet security software to IT immediately, chances are, they aren’t aware of all threats that occur.

You can learn more about safe cyber security practices for employees here.

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Copyright © 2019 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome and Android are trademarks of Google, LLC. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced and/or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other company names and product names are registered trademarks or trademarks of each company.