The Legal Examiner Affiliate Network The Legal Examiner The Legal Examiner The Legal Examiner search feed instagram google-plus avvo phone envelope checkmark mail-reply spinner error close
Skip to main content

There is a growing wave of identity theft and W-2 scams in our country, and criminals are reportedly targeting small businesses in particular. Just like individuals, firms and other businesses may have their Employer Identification Numbers (EINs) stolen and their sensitive information used to open new lines of credit, obtain credit cards, and/or file fake tax returns. On top of those dangers, firms and companies hold employees’ sensitive tax data like their W-2 forms, which cybercriminals can use to pose as those individuals and file fake returns.

Law firms, particularly their payroll and HR departments, should watch for emails asking for sensitive information involving W-2s as well as Forms 1120, 1120S, 1041 and Schedules K-1.

How to Be on the Lookout

Businesses, partnerships and estate and trust filers should be alert to potential identity theft and contact the IRS if they experience any of these issues:

  1. Rejected extension-to-file requests because a tax return with the EIN or Social Security number is already on file,
  2. Rejected e-filed return because a duplicate EIN/SSN is already on file with the IRS,
  3. An unexpected receipt of a tax transcript or IRS notice that doesn’t correspond to anything submitted by the filer, and/or
  4. Failure to receive expected and routine correspondence from the IRS because of a change of address.

Employers should discuss the scams with their payroll and/or HR professionals and adopt strict protocols for sharing sensitive employee information. The IRS suggests possibly having two people review any distribution of sensitive W-2 data or wire transfers. In addition, a verbal confirmation could be required before emailing any W-2 data.

What the IRS and States Are Doing

To up their game in safeguarding businesses, the IRS and states are asking that business and tax practitioners provide additional information to help verify the legitimacy of their tax returns. These procedures include the following questions:


  • The name and SSN of the company executive authorized to sign the corporate tax return. Is this person authorized to sign the return?
  • Payment history – Were estimated tax payments made? If yes, when were they made, how were they made and how much was paid?
  • Parent company information – Is there a parent company? If yes, who?
  • Additional information based on deductions claimed.
  • Filing history – Has the business filed Form(s) 940, 941 or other business-related tax forms?


Sole proprietorships that file Schedule C and partnerships filing Schedule K-1 with Form 1040 also will be asked to provide additional information to help the IRS and states identify suspicious business-related returns.

All employers are targets for the recent W-2 scam that comes in the form of an email that appears to be from an executive or organization leader to a payroll or HR employee. Because payroll officials believe they are corresponding with an executive, it may take weeks for someone to realize a data theft has occurred.

How to Report Suspicious Activity

Federal W-2 Data Loss: If you or someone at your firm suspects a cybercriminal has stolen W-2 information, email right away with the subject line “W2 Data Loss” to notify the IRS. Do not attach any employee personally identifiable information data. Businesses and payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center at Businesses/payroll service providers may be asked to file a report with their local law enforcement agency. Forward the scam email to

State Tax Information Loss: Email for information on how to report stolen information to the states.

As a law firm owner, you can never be too careful when your business’ and employees’ information is under threat by cybercriminals. For more tips on staying secure with tax information, visit

Comments for this article are closed, but you may still contact the author privately.