TLDR
January March: attacker spoofs CEO / CFO email to HR/payroll: 'Please send me the W 2s of all employees for review before filing.' HR replies with a ZIP / Excel containing SSN, address and 2024 wages of every employee. Attackers file...
How it works
January March: attacker spoofs CEO / CFO email to HR/payroll: 'Please send me the W 2s of all employees for review before filing.' HR replies with a ZIP / Excel containing SSN, address and 2024 wages of every employee. Attackers file...
Red flags
- Urgent pressure to click, pay, or share codes immediately.
- A link or sender that does not match the official organization.
- Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What to do
- 1IF VICTIM: report to IRS at dataloss@irs.gov within 48h, file IRS Form 14039 for each employee, notify state revenue, offer 24 month credit monitoring to staff, file ic3.gov.
Source
FTC
Source reviewed by Mythos Forensic Team
https://consumer.ftc.gov/articles/what-do-if-someone-steals-your-identityFAQ
Is W 2 phishing — HR targeted tax season scheme a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What should I do first?
IF VICTIM: report to IRS at dataloss@irs.gov within 48h, file IRS Form 14039 for each employee, notify state revenue, offer 24 month credit monitoring to staff, file ic3.gov.
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.