HR and payroll professionals nationwide have been, and will continue to be, targeted with e-mails apparently sent by a senior executive but actually sent by scammers who ask for a prompt reply with the 2016 W-2s for all of the organization's employees. While reliable statistics are not yet available for the current tax season, the IRS revealed in 2016 that it had received more than 1,000 reports of tax-related phishing scams in January 2016 alone and that, in just the first half of last year's tax season, it had already experienced a 400% year-over-year increase in these scams. In February 2017, the IRS issued an “urgent alert to all employers,” warning that the W-2 phishing scams have “evolved beyond the corporate world and [are] spreading to other sectors, including school districts, tribal organizations and nonprofits.”

Employers should take steps immediately to reduce the risk that HR and payroll professionals, eager to demonstrate their responsiveness to senior management, do not fall prey to these scams. An organization hooked by a W-2 phishing e-mail can face a long list of damaging effects, including an angry, anxious and distracted workforce; potentially substantial outof-pocket and imputed costs from complying with mandatory security breach notification laws; and in some instances, class action litigation. Ironically, a few relatively straightforward changes in procedures, off-theshelf technology, and some training can largely reduce the risk that an HR or payroll professional will be duped into sending W-2s to criminals who will electronically file false tax returns to obtain a fraudulent tax refund.