Skip to content

Menu

Network by SubjectChannelsBlogsHomeAboutContact
AI Legal Journal logo
Subscribe
Search
Close
PublishersBlogsNetwork by SubjectChannels
Subscribe

Protecting Employee Information From Tax Season Phishing Schemes

By Natasha Cooper & Christel E. Harlacher on February 19, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

Overview

As we enter the 2026 tax filing season, organizations face a heightened risk of cyberattacks targeting employee information. Tax season is a busy time for cybercriminals, who ramp up efforts to trick businesses and individuals into sharing personal information. Bad actors can use stolen personally identifying information (“PII”) in a variety of harmful ways, including to file fraudulent tax returns and claim refunds. Below we provide an overview of the current threat landscape, key warning signs to watch for, practical prevention strategies, and guidance on legal obligations if your organization is targeted.

The Nature of Tax Season Phishing Attacks

Tax season phishing schemes represent a particularly dangerous cybersecurity threat that has continued to escalate in recent years. A prominent tactic involves cybercriminals using various spoofing techniques to disguise an email to make it appear as if it is from a legitimate organization executive. These emails are typically sent to payroll or human resources employees and request employee W-2 forms.

W-2 forms are particularly attractive targets for cybercriminals because they contain comprehensive PII, including Social Security numbers. With this comprehensive PII, cybercriminals can file fake tax returns, apply for loans and credit, and commit identity theft in a variety of other destructive manners.

The threat landscape continues to evolve with increasingly sophisticated attack methods. For example, the recent AI boom has made it even easier for bad actors to create highly convincing fake content that can be used to successfully exfiltrate PII.

Warning Signs and Red Flags

Organizations and their personnel should remain vigilant for the following indicators of phishing attempts:

  • Email characteristics to scrutinize. Phishing emails deceptively appear to be from a legitimate executive or management employee of the organization and are frequently sent to personnel that have access to the organization’s payroll, finance, or human resources data. The emails in a W-2 phishing scheme typically request W-2 forms and/or a list of employee PII.
  • Psychological manipulation tactics. Cybercriminals often exploit authority bias, knowing that employees are more likely to follow requests from their employer’s leaders and management. The email content leverages this conditioned response by creating a false sense of urgency, such as by directing the employee to provide the requested PII as soon as possible for an urgent matter. The threat actor may even reference “standard procedures” or “company policy” to enhance the legitimacy of the email.

Prevention Strategies and Best Practices

Organizations should implement comprehensive safeguards to protect employee PII during tax season and year-round. These include:

  • Proactive warnings. Organizations should proactively alert all human resources, payroll, tax, benefits, and similar personnel about the risks and common tactics associated with tax season phishing scams. These employees should be especially vigilant in identifying suspicious or fraudulent communications and requests. In particular, organizations should emphasize the importance of exercising extreme caution when receiving urgent requests for PII, even if the request appears to come from a member of the organization’s management or leadership. Additionally, organizations should warn employees to be cautious when receiving any communications appearing to come from internal personnel that request an individual to deviate from standard protocols or prior instructions.
  • Verification protocols. Employees should verify the legitimacy of the email by contacting the email sender over the phone at a known, legitimate number of the sender to confirm that the email is valid. Employees should reply through a new email, rather than hitting the “reply” button or clicking any links to upload or download information, which can help prevent successful spoofing attacks.
  • Employee training. Organizations should provide training to all employees on best practices to avoid phishing scams, downloads of malware, and other potential cybersecurity threats. Training should address how to identify suspicious emails, the importance of verifying unusual or urgent requests, and procedures for reporting potential threats.
  • Access controls. Employers should evaluate who has access to employee PII, consider whether too many employees have access, ensure unauthorized individuals cannot access it, and continuously check how employee PII is being transmitted and stored. Individuals with access should receive additional training on possible data breach threats.
  • Technical safeguards. Organizations should implement robust technical safeguards to protect the storage and transmission of electronically maintained PII, including encryption and redaction measures. Forms W-2, Social Security numbers, and other sensitive documents or data should never be transmitted via unencrypted email or shared without effective redactions in place.
  • Vendor management. Organizations should understand what security measures are in place to protect employee PII stored or otherwise processed by third-party vendors, such as payroll and benefits service providers.  

Legal and Regulatory Implications

A data breach involving employee PII can trigger significant legal obligations and potential liability.

All 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have laws requiring notification of data breaches involving PII if certain circumstances exist. For multi-state employers, compliance becomes complex because an appropriate response requires adherence to the breach notification law of each state where affected individuals reside. These breach notification laws vary regarding the timing in which required notifications must be made (ranging from as soon as 30 days of the breach to “as soon as reasonably practicable”), required content, delivery methods, and whether regulators and credit reporting agencies must be notified.

Noncompliance with breach notification laws can trigger significant fines from regulators. Organizations could also potentially be sued by their employees for a data breach involving employee PII and the resulting harm depending on the applicable state laws.

Conclusion

Phishing schemes targeting employee PII represent a persistent and evolving threat that requires ongoing vigilance, particularly during tax season. Organizations that maintain robust security protocols, provide regular employee training, and have comprehensive incident response plans will be best positioned to prevent attacks and minimize damage when they occur. We encourage clients to review their current data protection practices and update them as needed in light of these heightened risks.

If you have questions about protecting your organization from cyber threats such as tax season phishing schemes, responding to an attack, or complying with applicable data breach notification requirements, McGuireWoods’ Data Privacy & Cybersecurity team can help.

Photo of Christel E. Harlacher Christel E. Harlacher

Chrissy is a trusted advisor to clients seeking strategic, effective legal counsel on brand management, intellectual property, and data privacy matters. With deep experience across industries, from healthcare and higher education to entertainment and software, Chrissy helps clients protect, commercialize, and defend their…

Chrissy is a trusted advisor to clients seeking strategic, effective legal counsel on brand management, intellectual property, and data privacy matters. With deep experience across industries, from healthcare and higher education to entertainment and software, Chrissy helps clients protect, commercialize, and defend their most valuable assets: their brands and intellectual property. Chrissy’s clients value her ability to combine technical legal knowledge with real-world business insight, making her a highly effective partner for companies looking to safeguard their innovations, navigate legal risk, and build strong, enduring brands.

Read more about Christel E. Harlacher
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Password Protected
  • Organization:
    McGuireWoods LLP
  • Article: View Original Source
LexBlog logo
Copyright © 2026, LexBlog. All Rights Reserved.
Legal content Portal by LexBlog LexBlog Logo