Fake HR / payroll W-2 or 1099 tax form credential phishing — fraudulent email impersonating an HR department, payroll provider, or accounting system claiming an employee's W-2, 1099, or year-end tax form is available or that direct deposit details need updating — directing them to click a link and log in with credentials, provide SSN, or verify bank routing numbers to access their tax documents — a spear-phishing attack that harvests employee login credentials, SSNs, and banking details

Phishing emails impersonating HR departments, payroll systems (ADP, Paychex, Gusto), or accounting portals — claiming an employee's W-2, 1099, or year-end tax form is ready, or that direct deposit information needs updating — directing them to click a link and log in to an employee portal, provide their SSN, or verify bank account and routing numbers. W-2 phishing peaks sharply January through April, coinciding with tax season. Key facts: (1) W-2 and direct deposit phishing attacks on employees are categorized as Business Email Compromise — BEC/EAC losses totaled $2.9B in 2023 (FBI IC3 2024); W-2 theft specifically enables tax identity fraud, where attackers file fraudulent tax returns in victims' names to steal refunds before legitimate filers; (2) HR phishing is highly effective because the timing (tax season) and premise (a required work document) are both plausible — employees expect W-2s and often act without scrutiny; (3) Direct deposit redirect phishing — claiming bank details need updating — is a separate but related attack; once attackers intercept an employee's payroll direct deposit, they can redirect entire paychecks before detection; (4) Legitimate HR and payroll systems (ADP, Paychex, Workday) never request SSN or bank routing numbers via email — these changes are made through authenticated portals. Warning signs: unsolicited W-2/1099 availability email from non-corporate domain, SSN or bank routing requested, login-credentials-required CTA with suspicious URL.