Watch Out for These W2 Phishing Emails

W2 Phishing Email

Tax season is starting, and along with it come the tax-related phishing emails. We’ve already started seeing emails this year that look like W2 notifications. Be on the lookout for these, and other tax-related scams.

Let’s look at a specific example:

W2 Phishing Email


There are few red flags in the email that give it away as malicious:

1. The sender says “ShareFile,” but the body of the email is DocuSign branding. These are two different services.

2. It doesn’t mention the name of the company anywhere. It just says “Coorporate Office.” There are two red flags here: 1. Spelling and grammar errors are typically a sign of phishing emails. 2. Not including a company name means they can blast this to as many people as possible without having to make any changes.

3. The email is trying to get you to click on the link. If you hover over the link in the actual email, it doesn’t go to a DocuSign (or ShareFile) site.

4. Most places don’t send W2s via DocuSign or ShareFile. W2s are typically sent through the mail and/or are accessible through an HR portal. There usually isn’t a reason to sign and return documents, as the email suggests.

If you do click the link in this particular email, it takes you to a pretty convincing looking sign in page:




The biggest red flag that this is a fake login page? It says DropBox, which is different service from both DocuSign and ShareFile. If you aren’t paying much attention, it’s easy to miss.

This also isn’t what a DropBox login page looks like, but you’d have to be familiar with the service to catch that, and even then, you may not notice. It’s a good fake.

Please keep in mind, this just one example. There will likely be other versions of the same scam that may look completely different. They will most likely all try to either get you to click on a malicious link or download a malicious attachment.

The best thing you can do to help protect your company is to let your employees know how they can access their W2s – and how they can’t access them. If employees can access their W2 information through an online HR portal, make sure they know how to access it without clicking on an email link. If you are only sending W2s by mail, make sure employees know there is no other option. Make sure they are clear on the ways to access their W2 and that ANY other notifications are malicious and should be disregarded.

It’s not unusual for cybercriminals to take advantage of timely events to try to increase their chance of success, and tax season is no exception. These likely won’t be the only tax-related attacks we see this year.

One variation we’ve seen in the past targets HR folks specifically: The attacker (usually posing as a C-level employee) asks for the W2’s of everyone in the company. This information can be sold on the black market or used to steal identities.

Be on the lookout for these, and other tax-related phishing attacks over the coming months. As always, if you are a PTG customer, you can forward any email to us to check over before you click or respond. If you want to learn more about phishing, and other cybersecurity threats to small businesses, read our Ultimate Guide to Small Business Cyber Security


Related Posts

Why Data Backups Are Important Plus Strategies To Protect Your Information
- Hopefully, the last time you backed up your data wasn’t back when you were watching TRL wi...
How to Stay Safe Online: 7 Tips we Learned from Cybersecurity Awareness Month
- Feel like you're in an eternal game of cat-and-mouse with cyber attackers? Well, welcome t...
image of a typewriter and laptop side by side, cut in half
Why Running Outdated Technology Is Bad for Business
- If it ain't broke don't fix it. How many times have you heard that phrase in your life? Ge...