It's February. Tax season is ramping up. Your accountant is getting busier. Your bookkeeper is pulling documents. Everyone's thinking about W-2s, 1099s and deadlines.
10D Tech helps Oregon businesses in Portland, Salem, Eugene, Bend, Corvallis, and Albany, especially credit unions/financial services, healthcare, professional services, nonprofits, and manufacturers, get through tax season without security drama.
Here's the part nobody puts on the calendar: the first real tax-season headache usually isn't a form. It's a scam.
And there's one that shows up before April even gets close because it's easy, believable and aimed straight at small businesses. You might already have it sitting in someone's inbox.
The W-2 Scam: How It Works
Here's the setup:
Someone in your company (usually whoever handles payroll or HR) gets an email that looks like it's from the CEO, owner or a senior exec.
The message is short and urgent:
"Hey, I need copies of all employee W-2s for a meeting with the accountant. Can you send them over ASAP? I'm slammed today."
It looks normal. The tone sounds right. Tax season is busy, so the urgency feels natural. The request seems reasonable.
So, your employee sends the W-2s.
Except the email wasn't from the CEO. It was from a criminal using a spoofed address or a look-alike domain.
And now that criminal has every employee's:
- Full legal name
- Social Security number
- Home address
- Salary information
Everything needed for identity theft. Everything needed to file fraudulent tax returns before your employees do.
What Happens Next
Here's how victims usually find out:
Your employee files their tax return. It gets rejected: "Return already filed for this Social Security number."
Someone already filed in their name. They already claimed their refund. Already got the money.
Now your employee is dealing with the IRS, credit monitoring, identity theft protection and months of paperwork because of a document they didn't even know they sent.
Multiply that by your entire payroll. Now imagine explaining to your team that their personal information was compromised because someone fell for a fake email.
That's not just a security problem. That's a trust problem. An HR nightmare. A potential lawsuit. A reputation hit.
Why This Scam Works So Well
This isn't a Nigerian prince email. It doesn’t look fake at first glance.
It works because:
The timing is perfect. W-2 requests are expected in February. Nobody questions why someone would ask for them now.
The request is reasonable. It's not "wire $50,000" or "buy gift cards." It's something that actually does get shared during tax season.
The urgency feels normal. "I'm slammed today, can you send this quick?" doesn't raise red flags in a busy office.
The sender looks legitimate. Criminals research targets. They know the CEO's name. Sometimes they know your accountant's name. They make it look real because they did their homework.
Employees want to be helpful. Especially to the boss. Urgency overrides verification.
How to Protect Your Business (Before This Lands)
The good news: this scam is preventable. And it takes policy + culture more than fancy tech.
Make a "no W-2s via email" rule. Period. No exceptions. W-2s and other sensitive payroll documents do not leave your building through email attachments. If someone asks for them via email, the answer is "no," even if it looks like the CEO.
Verify any sensitive request in a second channel. Phone call. In person. Chat. Anything other than replying to the email. Use a number you already have, not one in the message. It takes 30 seconds. Can save months of cleanup.
Do a 10-minute tax-scam huddle now. Not later. Not "when we get closer." Tell your payroll/HR people: "These are about to spike. This is what they look like. This is what we do." Awareness is cheap insurance.
Lock down payroll and HR systems. Multi-factor authentication (MFA) on anything that touches employee data. If someone's credentials get phished, MFA is the last door they'll slam into.
Make verification a culture, not a burden. The employee who calls to double-check a request from the CEO should be praised, not made to feel paranoid. When questioning is rewarded, scams have nowhere to hide.
That's it. Five rules. Simple enough to implement this week. Strong enough to stop the first wave.
What You’ll See When This Is Working
- No W-2s leave by email.Requests route to a secure channel; approvals are logged.
- Fewer phishing “”Suspicious sender patterns get flagged; staff verify out-of-band without hassle.
- Payroll/HR behind MFA with least-privilege access.Audit trails are clear and boring (the good kind).
- Fewer “return already filed” Less stress for HR and finance; fewer Friday fire drills.
- Click rates drop over time.Short huddles + targeted simulations build real
- If something slips through, response is fast.Triage, contain, notify—then fix root causes.
We set this up with Managed Cybersecurity and start with a quick IT Assessment & Strategy to spot gaps before tax week hits.
(Oregon note: we do this for teams from Portland HQs to Bend field crews, plus remote staff across the state.)
The Bigger Picture
The W-2 scam is just the opening act.
Between now and April, expect a flood of tax-themed attacks:
- Fake IRS notices demanding immediate payment
- Phishing emails disguised as tax software updates
- Spoofed messages from "your accountant" with malicious links
- Fraudulent invoices timed to look like tax expenses
Criminals love tax season because everyone's distracted, everyone's moving fast and financial requests don't seem unusual.
In Oregon, we see the same patterns: Salem and Eugene offices juggling payroll cutoffs, Bend teams moving fast, Portland leadership traveling. That pace is why tax-themed phishing lands across credit unions, Medical and Health clinics, professional firms, nonprofits, and manufacturers.
Businesses that get through tax season clean aren't luckier. They're prepared.
They have policies. They have training. They have systems that catch suspicious requests before they become disasters.
Want a 15-minute sanity check before payroll week? We’ll review your W-2 rule, MFA on payroll/HR, and mail protections with zero jargon.
Is Your Business Ready?
If you've already got policies in place and your team knows what to look for, great. You're ahead of most small businesses.
If not, now is the time. Not after the first scam hits.
If this sounds like your business, book a 15-minute discovery call with us and we'll review:
- Payroll/HR access and MFA
- Your W-2 verification rules
- Email protections that catch spoofing
- The one policy tweak most businesses miss
If it doesn't sound like you, awesome. But you probably know a business owner it does sound like. Forward them this article. It might save them a very expensive headache.
Quick Answers
- What’s the W-2 scam?A spoofed “CEO” email tricks payroll/HR into sending all employee W-2s.
- Who’s targeted?Small businesses with busy payroll cycles, especially February–
- Single best policy?No W-2s by email; confirm sensitive requests in a second channel.
- Fast checklist:Verify sender in Teams/Slack/phone, use MFA on payroll, lock sharing to approved tools.
- Email defenses that help:Anti-phishing, domain protection (SPF, DKIM, DMARC), safe links/attachments.
- Oregon coverage:Portland, Salem, Eugene, Bend, Corvallis, and Albany.
If you’re in Portland, Salem, Eugene, Bend, Corvallis, or Albany and this hits close to home, let’s fix it before it lands. We support financial services, healthcare, professional services, nonprofits, and manufacturing.
Start here: Book your 15-minute discovery call
Because tax season is stressful enough without identity theft on top of it..
FAQ and Takeaways
1) How do we stop W-2 phishing at our company?
Set a hard rule: no W-2s by email. Require second-channel verification, MFA on payroll, and anti-phishing on mailboxes. We can review gaps and tune controls with an IT Assessment & Strategy.
2) We already sent W-2s ... what now?
Treat it as a data incident. Contain access, alert leadership and payroll, notify staff, and start protection steps. Call our Emergency IT Support & Incident Response to triage and coordinate a clean response.
3) Do you work with our in-house IT?
Yes. We handle phishing defenses, email security, and monitoring while your team leads the roadmap. See Co-Managed IT Services.
4) What employee training actually moves the needle?
A 15-minute huddle before tax season, role-specific tips for payroll/HR, and short phishing simulations. Reward people for verifying unusual requests.
5) What technical controls should be on by default?
MFA on payroll/HR, anti-phishing, geo/login alerts, role-based access, and blocked external sharing for sensitive folders. We bundle these in Managed Cybersecurity.
6) How fast can you help if a scam hits Friday afternoon?
Call us. (541) 243-4103 Our team can jump in to contain access, review mail flow, and guide next steps via Emergency IT Support & Incident Response.
