Skip to main content

Beware of the CEO Email Request Phishing Scam: A Different Form of March Madness

Not only is it “March Madness” time, it is also prime tax return filing time.  That means that the email scammers are out in full force as well.

In the last 10 days, we have seen a marked uptick in what are called “phishing” attacks.  Actually, it’s more like an epidemic.

An employee of a company – usually in HR or payroll – receives what looks to be a legitimate email from the CEO.  It usually is framed as an “urgent” request for “W-2 information” of all employees.  The employee, wanting to be responsive to the CEO, sends the information in a PDF attachment.

Of course, “W-2 information” contains employee Social Security numbers, salaries and other personal data, and is highly prized by thieves involved in filing fraudulent tax refund requests with the IRS and the states to request large refunds in their name.  Judging by the number of calls we have received, and the public information available regarding other companies (see California Department of Justice data breach notice site) that have been victimized by this scam, there are hundreds of companies that have been affected --- and the personal information of tens of thousands of employees have been compromised.

The text of the email usually is a variant of one of these requests:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary)
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015. I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.

It is extremely important for HR and payroll professionals to be aware of, and on the lookout for, these types of emails and to inform all staff to double check before sending this type of information – even within the company and purportedly in response to a senior executive’s request.  Think about it:  why would the CEO request W-2 information on all employees?

It is also critical to now ask the question:  have we inadvertently done this?  Check with all HR and payroll employees.   If the answer is:  “I think so…” or “yes….”, or at all hesitant, it’s time to call us.  Any of this information supplied inadvertently puts your employees at risk for identity theft and, if fraudulent tax returns are filed, will cause their tax filing to be rejected by the IRS.  Also, sending such a file to a scammer constitutes a reportable data breach under state data breach notification laws and employees must be notified.

Some of the companies victimized by the “W-2 phishing scam” include technology companies like Snapchat and Seagate Technology.   The IRS alert on email tax schemes can be found here.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.