Posted December 15, 2025
Tax season is gearing up across Metro Detroit.
It’s February. Your accounting or tax firm is moving fast. Client documents are flowing. W-2s and 1099s are being finalized. Payroll questions are piling up. Everyone is focused on deadlines — because that’s the job.
This is the moment I always slow firms down.
Because year after year, the first tax-season disruption I see isn’t a filing issue.It’s a cyber liability event triggered by one very ordinary-looking email.
And there’s one scam that consistently hits small and mid-size accounting firms before April arrives — because it blends perfectly into busy-season workflow.
Chances are, it’s already in someone’s inbox.
The W-2 Email Scam: How It Targets Accounting and Tax Firms
Here’s how this usually plays out inside a firm.
Someone on your team — payroll, HR, or an office manager — receives an email that appears to come from a managing partner or firm owner.
The message is brief. Familiar. Urgent.
“Hey — I need copies of all employee W-2s for a quick review. Can you send those over ASAP? I’m tied up today.”
Nothing about this feels suspicious.
February is exactly when W-2s are requested.The tone sounds right.The urgency feels normal during tax season.
So the employee sends the files.
Here’s the issue:That email didn’t come from firm leadership.
It came from a criminal using a spoofed email address or a look-alike domain designed to slip past a quick glance.
And now that criminal has access to everything inside those W-2s:
- Employee names
- Social Security numbers
- Home addresses
- Compensation details
That data exposure immediately creates cyber liability for the firm — legal, regulatory, and operational risk that goes far beyond an IT problem.
How Firms Discover the Damage
Most firms don’t realize anything happened right away.
They find out weeks later when an employee files their personal tax return — and it’s rejected.
“Return already filed for this Social Security number.”
Someone else already submitted it.Someone else already claimed the refund.
Now your employee is dealing with the IRS, identity theft recovery, credit monitoring, and months of paperwork — because their personal data was exposed at work.
Now imagine that scenario multiplied across your payroll.
This is where cyber liability becomes very real:
- Loss of employee trust
- HR and legal exposure
- Regulatory obligations
- Cyber insurance scrutiny
- Reputation risk inside your local business community
This is not theoretical. This is what busy-season cyber incidents look like for accounting firms.
Why the W-2 Scam Works So Well During Tax Season
This scam doesn’t rely on sloppy mistakes. It relies on timing and pressure.
Here’s why it continues to succeed:
- The timing feels legitimateW-2 requests are expected in February. No one questions them.
- The request makes senseThis isn’t a wire transfer or gift card scam. It’s routine tax-season activity.
- Urgency feels normalBusy season is urgent by definition.
- The sender looks credibleAttackers research firm leadership, staff roles, and even outside accountants.
- Employees want to helpEspecially when a request appears to come from the top.
This is why cyber liability isn’t about blaming people — it’s about designing processes that protect them when things get hectic.
How I Help Accounting Firms Reduce W-2 Cyber Liability
The good news: this scam is highly preventable.
It doesn’t require complicated tools or expensive systems.It requires clear rules, verification habits, and proof-based controls.
Here’s what I recommend firms put in place before the request arrives:
1. Establish a “No W-2s via Email” Policy
W-2s and payroll data should never be sent as email attachments — no exceptions.
If someone asks for them via email, the answer is “no,” even if the message appears to come from a partner.
This single rule dramatically reduces cyber liability exposure.
2. Verify Sensitive Requests Using a Second Channel
Phone call. In-person confirmation. Internal messaging.
Never verify sensitive requests by replying to the email itself.Always use contact information you already trust.
3. Run a 10-Minute Tax-Season Scam Briefing
Before March hits.
Show payroll and admin staff:
- What W-2 scams look like
- Why they spike during tax season
- Exactly what to do when one appears
Awareness is one of the most effective cyber liability controls available.
4. Lock Down Payroll and HR Systems with MFA
Any system containing employee data should be protected with multi-factor authentication.
When credentials are compromised, MFA often prevents a bad situation from becoming a reportable incident.
5. Make Verification a Firm Value
Employees should be praised — not questioned — for slowing down and double-checking requests.
When verification is encouraged, scams lose their advantage.
The Bigger Tax-Season Cyber Risk Picture
The W-2 scam is rarely the only attempt.
Between January and April, accounting firms are routinely targeted with:
- Fake IRS payment notices
- Phishing emails posing as tax software updates
- Spoofed messages from “your accountant” or vendors
- Fraudulent invoices disguised as tax expenses
Criminals know tax season is when firms are busiest and least able to stop and verify.
Firms that get through cleanly aren’t lucky — they’re prepared.
They’ve reduced cyber liability with:
- Clear policies
- Staff training
- Evidence-based controls insurers and regulators expect
Is Your Accounting Firm Ready for Tax Season?
If your firm already has:
- Clear W-2 handling rules
- Verification procedures
- MFA protecting payroll and HR systems
You’re ahead of most.
If not, now is the time — not after an incident forces the issue.
Schedule a Discovery Call
On a Discovery Call, we’ll review:
- How sensitive payroll data is actually shared
- Where verification breaks down under pressure
- Whether your current controls truly reduce cyber liability
You’ll get clarity, next steps, and peace of mind — without jargon or fear tactics.
If this article doesn’t sound like your firm, chances are it sounds like one you know.Share it. Tax season is stressful enough without preventable cyber exposure.
Because protecting your firm, your people, and your reputation should feel manageable — even during busy season.
