TLDR
HR and payroll departments are the most targeted teams during tax season, and the IRS named these attacks in its 2026 Dirty Dozen list of top scam threats. Attackers impersonate executives to request W-2 data for entire workforces, or submit fraudulent direct deposit changes to divert employee paychecks. ScamVerify™ tracks 684,045 FTC impersonation complaints that reveal these patterns. A single successful W-2 phishing attack exposes every employee's Social Security number, salary, and address, enabling tax refund fraud and identity theft at scale. 70% of businesses expect to be targeted by phishing in the next 12 months.
Why HR Is the Highest-Value Target
HR departments hold the most sensitive data in any organization: Social Security numbers, bank account details for direct deposit, home addresses, salary information, and tax filing data. A successful phishing attack on HR does not just compromise one person. It compromises every employee in the company.
| Data Type HR Controls | What Attackers Do With It |
|---|---|
| Social Security numbers | File fraudulent tax returns, open credit accounts |
| Direct deposit details | Divert paychecks to attacker-controlled accounts |
| W-2 forms | Sell on dark web ($5-$65 per record), file fake returns |
| Home addresses | Physical mail fraud, combined with SSN for identity theft |
| Salary data | Calibrate fraudulent wire requests to plausible amounts |
| Employee directory | Map organization for broader BEC campaigns |
A single W-2 phishing email sent to an HR coordinator can yield hundreds or thousands of employee records in one response. This is why HR phishing is classified as a Business Email Compromise (BEC) variant, and why the FBI tracks it specifically.
The IRS Dirty Dozen 2026 Warning
The IRS publishes its Dirty Dozen list annually to warn taxpayers and tax professionals about the year's most prevalent scam threats. In 2026, employer-targeted phishing appears as a standalone entry, reflecting the scale of the problem:
The IRS warns tax professionals, payroll professionals, and human resource departments about phishing emails that request W-2 data for employees. These schemes have victimized hundreds of organizations and thousands of individuals.
The Dirty Dozen placement is significant. The IRS reserves these 12 spots for the threats causing the most measurable harm. HR phishing earning its own entry means the attack volume and loss data reached a threshold the IRS considers a national priority.
For related coverage of IRS impersonation attacks targeting individuals, see our guide to IRS phone scams and the 2026 Dirty Dozen.
The Two Primary Attack Types
Attack 1: W-2 Phishing
The attacker impersonates a C-suite executive (typically CEO or CFO) and sends an email to an HR or payroll employee requesting W-2 data:
Common subject lines:
- "W-2 Request - All Employees"
- "Urgent: 2025 W-2 Data Needed for Audit"
- "Re: Employee Tax Forms - Confidential"
- "Quick Favor - Need Employee W-2s"
Common email body pattern:
Hi [HR Manager Name],
I need the 2025 W-2 information for all employees sent to me before end of day. We have an external review that requires this data. Please send in PDF or spreadsheet format.
Thanks, [CEO Name]
The attack exploits the fact that W-2 requests are normal during January through April. HR staff handle these requests routinely. The email appears to come from someone with authority to make such a request. The "urgent" framing discourages the employee from verifying through another channel.
What happens with stolen W-2 data:
- Attackers file fraudulent tax returns using each employee's SSN before the real employee files
- The fraudulent returns claim refunds, often to prepaid debit cards
- Victims discover the fraud only when the IRS rejects their legitimate return
- Stolen W-2 data is also sold on dark web marketplaces at $5 to $65 per record
- The data enables long-term identity theft well beyond tax season
Attack 2: Payroll Diversion
Instead of stealing data in bulk, this attack redirects individual paychecks. The attacker either impersonates an employee or compromises an employee's email account, then submits a direct deposit change request to HR:
Common email body pattern:
Hi [HR Contact],
I recently switched banks and need to update my direct deposit information before the next pay cycle. Can you update my account to the following?
Routing: [attacker's routing number] Account: [attacker's account number]
Please confirm once updated. Thank you.
[Employee Name]
| Payroll Diversion Detail | Typical Pattern |
|---|---|
| Average loss per incident | $7,800 (one to two pay periods before detection) |
| Detection timeline | 1-2 pay cycles (2-4 weeks) |
| Primary targets | Large companies with high employee-to-HR ratios |
| Attack timing | Right before a pay period close date |
| Recovery rate | Low (funds moved within 24 hours) |
The lower dollar amount compared to wire fraud BEC ($7,800 vs. $24,600 average) is offset by volume. A single attacker can submit dozens of payroll diversion requests across multiple companies simultaneously.
Tax Season Amplifies the Risk
January through April creates a perfect storm for HR phishing:
Legitimate W-2 activity. HR departments are actively generating, distributing, and correcting W-2 forms. A phishing request for W-2 data blends in with routine work.
Tax deadline pressure. The April filing deadline creates urgency that makes employees less likely to question requests.
Higher email volume. Tax-related communications surge during this period, making it harder to identify anomalous requests.
Vendor activity. Payroll providers, tax software companies, and accounting firms are all sending legitimate emails, creating more opportunities for impersonation.
Seasonal staff. Some organizations bring in temporary accounting or HR support during tax season. These staff may be less familiar with verification procedures and more likely to comply with urgent requests.
The Scale of the Problem
| Statistic | Value | Source |
|---|---|---|
| Businesses expecting phishing | 70% in next 12 months | Proofpoint |
| FTC impersonation complaints | 684,045 | FTC Consumer Sentinel |
| IRS Dirty Dozen listing | 2026 (#11) | IRS |
| Average W-2 phishing victims per incident | 100-500 employees | FBI IC3 |
| Tax refund fraud from stolen W-2s | $1.3 billion annually | GAO estimate |
| Payroll diversion reports | Growing 30%+ YoY | Abnormal Security |
The 70% figure is especially concerning. Seven out of ten businesses believe they will be targeted, yet many still lack the procedural controls to prevent HR-targeted attacks.
How to Protect Your HR Department
Verification Protocols
- No bulk data via email. Establish a hard policy: W-2 data, employee lists, Social Security numbers, and salary information are never sent via email, regardless of who requests it.
- Verbal confirmation required. Any request for employee data or payroll changes must be confirmed by phone using a number on file, not a number provided in the email.
- Multi-person authorization. Bulk data requests require sign-off from at least two authorized individuals.
Technical Controls
- Flag external emails. Configure your email system to add a visible banner to all emails originating from outside the organization. This catches domain spoofing immediately.
- Email authentication. Enforce DMARC with a reject policy to prevent direct spoofing of your domain.
- Forward suspicious requests to scan@scamverify.ai for analysis. ScamVerify checks the sender, content, and links against 8 million+ threat records.
Employee Training
- Tax season briefings. Conduct annual training in January specifically covering W-2 and payroll phishing. Remind staff that no executive will request bulk employee data via email.
- Simulated phishing. Send controlled test phishing emails to HR staff to measure response and identify gaps in awareness.
- Clear reporting channel. Make it easy for employees to report suspicious emails without fear of being wrong.
Payroll Change Controls
- Employee self-service only. Direct deposit changes should only be possible through an authenticated self-service portal, never via email.
- Change confirmation. Send automated confirmation to both the old and new email/phone on file whenever banking details change.
- Waiting period. Implement a 48-hour delay on payroll routing changes with notification to the employee before the change takes effect.
What to Do If Your Organization Is Hit
- Notify affected employees immediately. Every person whose W-2 data was exposed needs to know so they can file their tax return early, set up IRS Identity Protection PINs, and place fraud alerts.
- Report to the IRS. Email dataloss@irs.gov with "W2 Data Loss" in the subject line. Include your company name, EIN, contact information, and the number of affected employees.
- File with FBI IC3 at ic3.gov.
- Forward the phishing email to scan@scamverify.ai to help build the threat intelligence database.
- Engage a breach response firm if the exposure is large scale.
- Provide credit monitoring to affected employees. This is both good practice and may be legally required depending on your state.
You can also check suspicious emails proactively using the ScamVerify email checker before responding to any data request.
Check a suspicious email
Paste email content below, or forward it to scan@scamverify.ai for instant analysis.
FAQ
Why do attackers focus on W-2 data instead of just one person's information?
W-2 phishing is a bulk operation. A single successful email to an HR coordinator at a mid-size company can yield 500 or more complete employee records, each containing a Social Security number, full legal name, address, and income. One record enables one fraudulent tax return. Five hundred records enable a fraud operation worth hundreds of thousands of dollars. The effort-to-reward ratio is dramatically better than targeting individuals one at a time.
How quickly do attackers file fraudulent tax returns after stealing W-2 data?
Within hours. Attackers use automated tools to file fraudulent returns claiming refunds as soon as they receive the stolen data. This is why speed matters. If your organization discovers a W-2 phishing compromise, affected employees need to file their legitimate returns immediately and request an IRS Identity Protection PIN. The longer the delay, the more likely the fraudulent return will be filed first.
Can two-factor authentication prevent payroll diversion attacks?
Two-factor authentication on email accounts prevents the account compromise that enables some payroll diversion attacks. However, if the attacker is spoofing the employee's email (not compromising it), 2FA on the email account does not help. The real defense is procedural: require direct deposit changes through an authenticated self-service portal, not email.
Our payroll provider handles direct deposit changes. Are we still at risk?
Yes. If the payroll provider's system allows changes via email request from authorized contacts at your company, the risk transfers to whoever processes those requests. Verify with your provider that all changes require multi-factor authentication through their portal and that email-based change requests are not accepted.
How does ScamVerify help detect HR phishing emails?
Forward the suspicious email to scan@scamverify.ai. ScamVerify analyzes the sender's domain against URLhaus (74,032 malicious domains), checks the email headers for authentication failures, cross-references the impersonated identity against FTC complaint patterns, and evaluates the content for manipulation tactics common in BEC and HR phishing. The analysis takes seconds and provides a clear risk assessment.
Received a suspicious request for employee data or a payroll change? Forward it to scan@scamverify.ai or paste the content at the ScamVerify email checker for instant analysis.
