Watch out for 1099 and W-2 phishing scams

Unmasking the threat – navigating the risks of tax season phishing scams

By Mark HoffmannKENOSHA.COM

A leader in the IT industry for nearly three decades, Hoffmann has helped small and large businesses take advantage of technology to better serve their customers and employees. Hoffmann is owner of CMIT Solutions of SE Wisconsin.

It’s still only January, but tax season is on the horizon. And since IRS requirements dictate that companies must send W-2s and 1099s to employees and independent contractors before January 31st, cybercriminals have found the perfect cover for launching their attacks. 

Financial professionals, accountants, and bookkeepers point to a surge in email phishing schemes specifically targeting individuals. These messages are sent under the guise of confirming receipt of W2 or 1099 forms. Emails posing as legitimate tax-related communications flood inboxes, urging users to click on seemingly innocuous links to confirm the receipt of their 1099 forms.  

What do these emails look like?

Common language includes lines like this: “We have sent your W-2 or 1099 electronically to save paper this year on behalf of XYZ Company. Please click on the link below to retrieve your 1099.”

The urgency of that January 31st deadline and the relevance of the looming tax season make individuals more susceptible to these scams. For many individuals, the fear of missing crucial tax information prompts immediate action—which is exactly what hackers hope for.

One of the hallmarks of these phishing emails is their deceptive authenticity. Crafted with precision, they often mimic the design and language used by legitimate tax authorities or financial institutions. From official logos to convincing language, these emails aim to bypass users’ skepticism and trick them into divulging sensitive information. 

The links embedded in these phishing emails lead unsuspecting users to malicious websites that closely resemble legitimate tax platforms. Once on these sites, users may be prompted to enter personal information, such as Social Security numbers, birthdays, financial account details, and other sensitive data. The consequences of falling victim to such scams can be severe: financial loss, data compromise, and even identity theft.

So how can individuals protect themselves? Vigilance is key in the face of these increasingly sophisticated phishing attempts. Here are some practical tips to navigate the treacherous waters of tax season:

  • Verify the sender: Legitimate tax authorities or financial institutions will not ask for sensitive information through email. Always verify the sender’s email address by revealing details about the sender’s name (which can easily be spoofed) and domain of origin (which can be manipulated to look real — like or tax.corn.). Then, cross-reference what you see in the message with past communications from official channels. 
  • If in doubt, contact the supposed sender through official channels. This can include calling them on the phone, asking to conduct a face-to-face meeting in person or via video, or researching which financial firms work with your company’s partners and third-party vendors. This can sometimes be difficult or time-consuming, but it’s worth it to verify the legitimacy of any email.
  • Hover over links before clicking. Before clicking on any link embedded in an email, hold your mouse over it to reveal the actual URL. If it looks suspicious — like long strings of unintelligible characters — or doesn’t match the expected destination, refrain from clicking. Instead, manually type websites into your browser. Then, only enter your Social Security number or Tax ID number on websites that are secure and safe — with “https://” in the URL or displaying the lock icon in the address bar.
  • Keep software updated. Extra layers of security are built into newer operating systems, email clients, antivirus software, and web browsers. Software updates and security patches should be automatically installed during off-hours to protect your systems against the latest threats and prevent disruptions of day-to-day operations.
  • Implement multi-factor authentication. In the event that passwords are stolen or login credentials are compromised, MFA can add an extra layer of security and significantly reduce the risk of unauthorized access. Enable MFA on all email accounts, social media apps, and financial portals wherever possible.
  • Educate yourself and your employees. Reading this article is step one, but due diligence goes deeper. Stay informed about common phishing tactics during tax season and use caution with any unsolicited or unfamiliar email — especially those requesting sensitive information. 

As tax season unfolds, the digital landscape can get more and more dangerous. By arming yourself in advance with pertinent information and adopting a vigilant mindset, you can navigate the surge in email phishing scams and safeguard your financial well-being. 

When it comes to cybersecurity, caution is the best defense. CMIT Solutions helps financial organizations, tax professionals, everyday consumers, and businesses of all sizes to stay safe, stay informed, and outsmart the scammers. If you need help staying safe and bolstering digital defenses this tax season, contact us today.