publications full of ideas
W-2 Phishing Scams: Don't Take the Bait


In recent weeks, hundreds of businesses around the country have been hit by an email "phishing" scam that is both brilliant in its exploitation of workplace power dynamics and potentially devastating in its effects. This particular scam, which includes widely reported cases involving the Milwaukee Bucks and Snapchat, generally works as follows:

  • An employee in the targeted company's HR department receives a "spoofed" email, which superficially appears to come from a high-ranking member of management;
  • The spoofed email asks the employee to respond with electronic copies of the previous year's W-2 earnings statements (which will include employees' social security numbers, compensation information and home addresses) for all of the targeted company's employees; and
  • The employee, believing that he or she is being responsive to a request from senior management, replies to the spoofed email with the requested tax information.

While all "social engineering" scams seek to find and exploit human weaknesses in order to gain access to sensitive information, this scam is brilliantly cynical: it exploits the imbalance of power between senior management and subordinate personnel by inducing a sense of urgency and desire-to-please with the goal of overwhelming the subordinate's ability to think critically about the information request. Like any good card trick, the spoofed email creates a psychological distraction that blinds the recipient to the sleight-of-hand that's taking place right before his or her eyes.

The consequences of a successful W-2 phishing scam can be extremely serious for the targeted company. Data breach notification laws will almost certainly require delivery of notices to affected employees, government agencies, credit reporting agencies and/or the media. The company will also need to report the incident to local and federal law enforcement agencies, as well as the IRS. Additionally, management will need to be prepared to receive questions from the affected employees about how they should protect themselves and their credit in the wake of the incident. In short, it will be a costly, time-consuming, distracting and morale-draining experience to deal with the aftermath of a W-2 phishing scam.

Given the stakes, companies should focus on strengthening their defenses against potential social engineering attacks. Implementing regular and mandatory data security training for all employees is a critically important defensive measure. Training will not only provide employees with assistance in identifying phishing scams, but will also raise overall awareness and create a company-wide sense of vigilance and preparedness. An appropriately selected and enforced training program can act as a bulwark against potential liability in any post-breach litigation.

Poyner Spruill's Privacy and Data Security Law practice group advises companies who have experienced data security breaches and can also work with clients in the selection of data security training programs and the preparation of incident response plans. If you have any questions or need assistance with data security matters, please contact Mike Slipsky at or Saad Gul at

related information

follow us on twitter