Phishing and impersonation scams once again top the IRS’s 2026 Dirty Dozen list, reinforcing warnings that tax season remains a prime opportunity for fraudsters. While IRS impersonation schemes are familiar to many employers, experts say the more persistent and damaging threat increasingly comes from employer‑based and payroll‑adjacent scams that target W‑2 data and employee payroll systems.
Sharell Barshishat, global advisory director for North America at BioCatch, says payroll functions are attractive targets because employees are conditioned to expect tax‑related communications during filing season and often feel pressure to act quickly. Matt O’Neill, founder of 5OH Consulting LLC and a former U.S. Secret Service agent, says attackers intentionally blend fraud into routine payroll workflows, making scams difficult to distinguish from legitimate business activity.
Both experts say the IRS’s continued focus on phishing reflects how digital payroll systems have become central to modern tax fraud—and why payroll teams remain on the front lines of defense.
Summary:
- Why these scams keep working: Tax season creates urgency and expectation—making routine payroll requests easier to weaponize.”W-2 spear-fishing persists because it exploits timing, authority, and routine.” — O’Neill
- Why the payoff is worth it for criminals: W‑2 data is high-value, and even low success rates can produce major returns. “They’re simply very lucrative for fraudsters. There is tremendous ROI for criminals to continually evolve and adapt their tactics….” — Barshishat
- Why “HR/payroll” impersonation is more dangerous than IRS impersonation: Familiar internal roles feel legitimate—especially when employees expect W‑2 communication. “We’re far more likely to trust a request originating from our company’s payroll or HR team….” — Barshishat
- Where attackers most often strike in payroll workflows: W‑2 access and portals, credential resets, direct-deposit changes, and bulk requests for employee tax records. “W-2 downloads, payroll portals, and requests to verify tax information are some of the most common examples.” — Barshishat
- Why phishing is more believable now: Breached and public data help attackers tailor messages with accurate organizational details. “Attackers can include accurate details such as job titles, company departments, reporting relationships….” — O’Neill
- How AI changes the threat: More polished, convincing impersonation—and increasingly multi-channel attacks that are harder to detect. “AI has become a force multiplier for that.” —Barshishat
- What to train employees to do: Treat urgency, unusual requests, and process bypasses as red flags—verify through trusted internal channels. “Employees should be trained to watch for three main warning signs: urgency, unusual requests, and process changes.” — O’Neill
The IRS’s Dirty Dozen again highlights phishing and impersonation. Why do W‑2 spear‑phishing scams remain so persistent?
Barshishat:
They’re simply very lucrative for fraudsters. There is tremendous ROI for criminals to continually evolve and adapt their tactics.
Tax season also exploits an already nerve-wracking and anxiety-provoking time for people. Individuals are focused on making sure they get the most out of their returns and get their taxes filed by the deadline, while also trying to avoid any mistakes or trouble with the IRS.
Timely outreach from a scammer to someone in the middle of a hectic tax-filing process can mean a big payout for criminals. When people are stressed, busy, and expecting tax-related communication, it creates the perfect environment for these scams to succeed.
O’Neill:
W-2 spear-fishing persists because it exploits timing, authority, and routine. A message that appears to come from an executive or payroll manager asking for W-2 data or employee records fits naturally into the workflow. These scams are also low cost and highly scalable for criminals, so even if only a small percentage of attempts succeed, the payoff can be significant. As long as organizations rely on email and digital payroll processes, attackers will continue to target those same channels.
How do payroll impersonation scams differ from traditional IRS impersonation schemes, and why are employees more likely to trust messages that appear to come from HR or payroll?
Barshishat:
Payroll impersonation scams operate differently because they target employees inside organizations, with outreach coming from scammers impersonating not IRS officials in some distant government office complex but HR, payroll staffers, or company leadership at the more intimate organization where the potential victim works. Even this slight upgrade in familiarity and intimacy increases the likelihood these scams will succeed. When something appears legitimate and authentic, trust follows.
We often hesitate when receiving something directly from the IRS. We’re far more likely to trust a request originating from our company’s payroll or HR team, especially during tax season when those departments are expected to communicate about W-2s and tax documents.
O’Neill:
Traditional IRS impersonation scams typically involve someone pretending to be a government official threatening penalties or demanding immediate payment. Payroll impersonation scams are different because the attacker poses as someone inside the organization such as a payroll administrator, HR representative, or company executive. Employees naturally trust those roles because they are responsible for legitimate tax and payroll communications.
Which payroll touchpoints—such as W-2 access—are most commonly exploited during tax season?
Barshishat:
Fraudsters tend to focus on payroll touchpoints with which employees already interact during tax season. W-2 downloads, payroll portals, and requests to verify tax information are some of the most common examples.
A phishing email might claim a W-2 is ready for download or that an employee needs to confirm tax information, directing them to a fake login page designed to capture credentials. Once attackers gain access to payroll or HR systems, the damage can escalate quickly. They may download employee tax data, change direct-deposit details, or collect personal information that can later be used for identity theft or to file fraudulent tax returns.
O’Neill:
The most common targets are the processes tied to employee identity data and payment instructions. That includes payroll credential resets, direct-deposit change requests, and bulk requests for employee tax records. Criminals pursue these touchpoints because they provide either sensitive personal information like Social Security numbers and wage data or direct access to financial systems where payments can be redirected. Even a single compromised account in a payroll or HR system can expose large amounts of employee information.
How have data breaches made W‑2 phishing more targeted and believable, particularly for younger or higher-income employees?
Barshishat:
Large data breaches have made scams much more convincing because they provide criminals with detailed information about the people they plan to target. Instead of outreach feeling broad or generic, attackers can craft messages that are specific and prescriptive, referencing information that feels close to the victim.
When attackers combine breached data with publicly available information, they can create outreach that feels personal and credible, which increases the likelihood that someone will trust it.
O’Neill:
Large data breaches have given criminals a massive library of personal and professional information that can be used to craft convincing messages. Attackers can include accurate details such as job titles, company departments, reporting relationships, or fragments of personal data that make a message appear legitimate. For younger employees who are accustomed to managing everything through digital portals, and for higher-income employees whose tax profiles may include bonuses or complex compensation, these tailored messages can appear especially credible. When a phishing email references information that seems real, people are much more likely to trust it.
The IRS warns that scams are becoming harder to spot. How are AI-generated emails and deepfake audio changing the way payroll fraud play out inside organizations?
Barshishat:
AI gives criminals polish, legitimacy, intimacy, familiarity, and a sense of trustworthiness that previously took time and effort to produce. It allows them to scale their operations without sacrificing the quality of the scam.
The main goal for criminals is to appear as legitimate as possible, and AI has become a force multiplier for that.
O’Neill:
AI is lowering the barrier to sophisticated impersonation. AI-generated emails can closely mimic the writing style, tone, and formatting of executives or payroll staff, removing the spelling errors and awkward phrasing that used to signal a scam. Deepfake or cloned audio is also emerging as a tool for reinforcing those messages, allowing attackers to leave voicemails or make calls that sound like a company leader confirming an urgent request. Instead of a single suspicious email, organizations may now face coordinated attacks across email, voice, and internal collaboration platforms, which makes detection much harder.
What red flags should payroll teams train employees to watch for when receiving tax-related or W-2 communications?
Barshishat:
Payroll teams should encourage employees to be cautious about any unexpected requests involving W-2 information, payroll credentials, or direct deposit changes. Messages that create urgency, such as requests for immediate action or attempts to bypass normal payroll systems, are a common tactic used in phishing and impersonation scams.
Employees should also watch for subtle warning signs like unfamiliar links, slightly altered email addresses, or login pages that do not match the company’s official payroll portal. The safest approach is always to verify requests through trusted internal channels before sharing any tax or payroll information.
O’Neill:
Employees should be trained to watch for three main warning signs: urgency, unusual requests, and process changes. Messages that demand immediate action, ask for bulk employee tax data, request login credentials, or attempt to redirect direct-deposit information should be treated with caution. Another major red flag is when a request bypasses normal payroll procedures, such as asking someone to send sensitive data over email or click a link outside the official payroll system.
Will future IRS Dirty Dozen lists focus more on payroll‑adjacent scams?
Barshishat:
Yes. As more payroll systems move online and employees rely on digital self-service platforms to access tax documents, employers and payroll departments are becoming increasingly attractive targets for attackers.
O’Neill:
Yes. Employers and payroll systems sit at the intersection of tax reporting, identity data, and financial transactions, which makes them extremely attractive targets for criminals. If attackers compromise a payroll process, they can obtain Social Security numbers, tax records, and payment information affecting hundreds or thousands of employees at once. As organizations continue to digitize payroll and HR services, those systems will remain a high-value target. For that reason, I expect future warnings and enforcement efforts to focus even more on employer-based scams and attacks that exploit payroll infrastructure.
Take your tax and accounting research to the next level with Checkpoint Edge and CoCounsel. Get instant access to AI-assisted research, expert-approved answers, and cutting-edge tools like Advisory Maps and State Charts. Try it today and transform the way you work! Subscribe now and discover a smarter way to find answers.
