Tax season is here, and with it a new wave of personally identifiable information (PII) leaks. Due to the high volume of information being passed around, it is easy for some of it to end up in the wrong hands. W-2 forms often go from payroll companies, to employers, to employees, to accountants, and to the government. That’s a lot of opportunities for something to get lost.

As we mentioned in “Tax-and Peak PII-Season is Here,” tax season puts a multitude of people at risk for identity theft and tax fraud. Tax documents are abundant sources of PII: they contain names, addresses, wage and employer information, and most notably, Social Security numbers. In early February 2016, a breach of the Internal Revenue Service’s (IRS) systems led to the theft of around 464,000 unique Social Security numbers (SSN). This year, tax season is marred less by elaborate attempts to get citizens’ SSNs from the IRS and more marred by human error.


Not all leaks result from malicious intent; some occur due to human error rather than targeted attacks by fraudsters. Recently, for example, a corporate payroll service shipped dozens of salary records and documents to the wrong address. The company accidentally sent 60 federal W-2 forms and other tax records to a woman whose daughter previously worked for the company… twice. Thankfully, the woman never opened the packages and shipped them back to the payroll service.

In another tax blunder, a Texas school employee fell for a phishing scam where the fraudster, impersonating the superintendent, requested W-2 forms for the Texas school’s employees. The employee trusted the email and forwarded the staff’s forms to the phisher. To make up for the error, the school will offer its employees a year of identity theft monitoring. While this type of monitoring is helpful, there is still a chance the information will be leaked or sold on various dark web markets – something these monitoring services may not detect until fraudulent activity occurs.


For criminals too lazy to do the phishing themselves, dark web shops sell “fullz,” complete personal information on an individual including occupation and SSNs. These listings often come in packages containing multiple identities, and sell for around $15 to $30 per record. Some vendors even offer bulk discounts.

Tax season still has a month to go, so we are likely to see a lot more tax related leaks and phishing attempts. Ensuring tax documents follow the proper chain of custody through the tax submission process helps protect employee PII against phishing attacks and malicious use. Information in these tax forms could be used in fraudulent documents or exploited in financial situations requiring Social Security Numbers and employment information. Criminals can file fraudulent tax returns and refund requests, scamming the Federal government out of a lot of money, into the billions of dollars per year. So much for that tax return.