Don’t let W-2 fraud catch you, too!

Higher education institutions, including UC Davis, have increasingly become a target of fraudulent W-2 phishing emails in recent weeks. This increase is typical during tax season, from January to April, but the problem has gotten worse over time.

In 2023, the IRS identified 1.1 million potentially fraudulent tax returns and 12,617 of them were confirmed to be fraudulent — a 31 percent increase from the 9,626 fraudulent tax returns in 2022.

To keep your private information safe, we’ve compiled a list of everything you need to know about W-2 fraud and actions you can take today.  

What is a W-2 phishing scam? 

It is a scam that tries to trick you into giving away your W-2 information to commit identity theft and/or tax fraud. 

These scams often appear as emails, and may ask for the following personal information: 

• W-2 or other tax information
• Social Security Number
• Salary
• Home address 

Criminals use many tactics to target individuals, payroll, and tax professionals. If an email looks suspicious, don’t respond, click links, or download attachments. Instead, REPORT the message to cybersecurity@ucdavis.edu, then delete it.

W-2 phishing scam red flags 

Be aware of the telltale signs of a W-2 phishing scam: 

• Requests for personal or tax information: Do not respond to any message asking for your user ID, passwords, W-2, or other tax information.
• Impersonation: Pay attention to authentic-looking messages impersonating UC communications, executive management, or legitimate financial organizations (e.g. IRS, U.S. states) to request or review personal information. 
• Suspicious web links and attachments: Never click on a questionable link or attachments from an unknown source. 
• “Help” and encouragement: Ignore messages that pose as a “helpful” third party or encourage you to engage with bogus tax avoidance strategies. 
• Threats or a false sense of urgency: Be aware of threats and warnings of dire consequences or instances of urgency that could cause you to disclose sensitive information to unauthorized recipients. 

Tax filing best practices & reminders 

• File your taxes early: Filing as early as possible helps prevent identity fraud and stops a perpetrator from filing a fake return in your name.
• The IRS will never request or demand payment over the phone, or ask for personal information through emails, text message, or social media. Most IRS contact occurs through regular mail delivered by the U.S. Postal Service. However, there are some exceptions. Learn how to identify if an individual calling or at the door is genuinely from the IRS. 

How can I protect myself? 

When filing your W-2, it is recommended that you: 

• Access your W-2 statement directly through UC’s At Your Service or UCPath website instead of clicking on a link in an email.
• Do not reply, click any links, download attachments (including software), or enter personal information on a website, login screen, or form referenced in a suspicious-looking email. 
• Verify requests for W-2 or other tax information by calling your contacts before submitting sensitive information. 
• Never provide personal information to anyone claiming to be an IRS representative who contacts you via an unsolicited phone call. Instead record the caller’s name, badge number, and a call back number. Hang up and contact the IRS at 1-800-366-4484 to determine if the caller is a legitimate IRS employee. 
• REPORT the message to cybersecurity@ucdavis.edu, then delete it. 

Learn more about protecting yourself 

Don’t let W-2 phishing scams hook you. Check out the additional resources below: 

• IRS: List of Tax Scams/Consumer Alerts 
• IRS: Report Phishing and Online Scams 
• UC Systemwide Information Security 
• UC Davis Health: 8 Cybersecurity Habits 
• FIT University: W-2 and Tax Scams