AUSTIN (KXAN) — As companies start sending out their employees W-2 forms, the Internal Revenue Service wants to remind employers to be careful about a phishing scam that targets people who work on payroll.

Last year, the IRS says more than 200 employers fell victim to the phishing scam, which translated into hundreds of thousands of employees who had their information compromised. The IRS says the Form W-2 scam has emerged as one of the most dangerous phishing emails in the tax community.

The scam works by thieves identifying the person or persons who have access to W-2 forms in a business. By using spoof emails, the criminals pose as executives and send emails to payroll personnel requesting copies of employees’ W-2 forms. Once criminals have access to the W-2 forms, they can use that information for fraudulent tax returns or post it for sale on the Dark web.

Last year, the city of San Marcos fell victim to the scam. Hundreds of city employees’ information was compromised.

Because of the uptick in complaints, the IRS implemented a new process by which employers should report scams. The IRS established a special email notification address specifically for employers to report Form W-2 data thefts. Here’s how Form W-2 scam victims can notify the IRS:

• Email to notify the IRS of a Form W-2 data loss and provide contact information, as listed below.

• In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.

• Include the following:

  • Business name
  • Business employer identification number (EIN) associated with the data loss
  • Contact name
  • Contact phone number
  • Summary of how the data loss occurred
  • Volume of employees impacted

Businesses and organizations that fall victim to the scam and/or organizations that only receive a suspect email but do not fall victim to the scam should send the full email headers to and use “W2 Scam” in the subject line.