(And Why It’s Still Catching Businesses in March)
By mid-March, most construction firms are deep into tax season.
Your accounting team is working through filings.
Your bookkeeper is organizing payroll records.
Your accountant is asking for documents.
Everyone is moving fast.
And that’s exactly why cybercriminals love this time of year.
Because the first major tax-season headache for many companies isn’t a form or a deadline.
It’s a scam.
And one of the most common attacks during tax season is aimed directly at payroll data.
This article is adapted from and reframed for construction leadership teams.
The W-2 Scam That Still Hits Businesses Every Year
Here’s how the attack usually happens.
Someone in payroll or HR receives an email that appears to come from an executive.
Often the CEO.
Sometimes the CFO.
The message is short and direct:
"Hey — our accountant needs copies of all employee W-2s for a meeting. Can you send them over quickly? I'm tied up today."
The request feels normal.
The timing makes sense.
And the sender looks legitimate.
So, the employee sends the files.
Except the message didn’t come from leadership.
It came from a criminal using a spoofed email address or a look-alike domain.
And now that attacker has access to every employee’s:
- Full legal name
• Social Security number
• Home address
• Wage information
Everything required to commit identity theft.
Everything required to file fraudulent tax returns before your employees do.
How Companies Usually Discover the Breach
The damage usually surfaces weeks later.
An employee files their tax return.
And the IRS rejects it.
The message says:
“A return has already been filed for this Social Security number.”
Someone already claimed their refund.
Now that employee is dealing with:
- Identity theft recovery
• IRS investigations
• Credit monitoring
• Months of paperwork
All because their personal information was unknowingly sent in a single email.
For the IT Director, this becomes a data breach incident.
For the CFO, it becomes something larger:
- Employee trust issues
• HR escalation
• Legal exposure
• Reputational damage
And potentially dozens or hundreds of employees impacted at once.
Why This Scam Works So Well
Unlike many cyber scams, this one doesn’t look suspicious.
It succeeds because it blends into normal business activity.
First, the timing is perfect.
Requests for payroll documents are common during tax season.
No one questions them.
Second, the request is believable.
It isn’t asking for money or gift cards.
It’s asking for something that actually gets shared internally.
Third, the sender looks legitimate.
Attackers research companies ahead of time.
They know executive names.
They know company structures.
Sometimes they even know the name of your accountant.
And finally, employees want to be helpful.
When a request appears to come from leadership and sounds urgent, verification often gets skipped.
What IT Directors and CFOs Should Lock Down Right Now
The good news is this scam is very preventable.
And stopping it doesn’t require complicated technology.
It requires clear policy and leadership support.
- Establish a “No W-2s via Email” Rule
Sensitive payroll data should never be transmitted as email attachments.
Period.
If someone asks for W-2s through email, the answer should always be:
“Please use the secure portal.”
Even if the request appears to come from leadership.
- Require a Second Channel for Verification
Any request involving sensitive payroll information should require confirmation through another method:
- A phone call
• An internal chat message
• An in-person conversation
Thirty seconds of verification can prevent months of damage.
- Run a Quick Tax-Season Awareness Reminder
This doesn’t need to be a long training session.
Ten minutes with payroll, HR, and accounting teams is enough.
Explain what the W-2 scam looks like.
Explain how attackers operate during tax season.
Awareness is often the most effective defense.
- Lock Down Payroll Systems with MFA
If someone’s credentials are stolen, multi-factor authentication becomes the last barrier between attackers and sensitive employee data.
For IT leaders, MFA should be mandatory anywhere payroll information is accessible.
- Reward Verification — Don’t Discourage It
Employees should never feel awkward about double-checking a request.
In fact, it should be encouraged.
The person who pauses and says,
"Let me confirm that before sending it"
is protecting the entire organization.
Why This Matters More Than Ever
The W-2 scam is usually just the beginning.
From now through April, businesses typically see a wave of tax-related attacks:
- Fake IRS payment notices
• Phishing emails disguised as tax software updates
• Messages pretending to be from your accountant
• Fraudulent invoices disguised as tax expenses
Cybercriminals target this period because businesses are busy and financial requests don’t feel unusual.
Companies that get through tax season without incidents aren’t lucky.
They’re prepared.
A Quick Check for Leadership
If you’re an IT Director or CFO, ask yourself one simple question:
If someone emailed your payroll team today asking for W-2s, would your systems and policies stop that request automatically?
If the answer is unclear, it’s worth tightening things up before the end of tax season.
Because once payroll data leaves your system, the damage moves very quickly.
Closing the Gap Before the Next Scam Hits
You may already have strong controls in place.
If so, that’s great.
But if your payroll systems, email protections, or verification policies still rely on “someone noticing something looks odd,” it may be time for a quick review.
A short discovery call can help identify:
- Gaps in payroll system security
• Email spoofing protections
• MFA coverage for sensitive systems
• Verification policies for financial data requests
No scare tactics.
Just practical steps to make sure your business isn’t the next company dealing with a tax-season data breach.
Book your 15-minute discovery call here
Because tax season is stressful enough.
You shouldn’t have to deal with identity theft on top of it.
