February 09, 2026
It's February.
Tax season is warming up. Payroll offices are busy. HR is pulling records. Finance teams are juggling W-2s, 1099s, grants, stipends, and deadlines.
Here's the part no academic calendar includes:
the first real tax-season disruption usually isn't a form, it's a scam.
And there's one that shows up before April even gets close because it's simple, believable, and perfectly tailored to higher education.
It may already be sitting in someone's inbox on campus.
The W-2 Scam: How It Hits Higher Education
Here's how it usually plays out.
Someone in payroll, HR, or finance receives an email that looks like it's from:
- The university president
- A provost or dean
- The CFO
- A director of finance or HR
The message is short and urgent:
"Hi — I need copies of all employee W-2s for a quick review with our tax advisors. Can you send them ASAP? I'm tied up in meetings today."
Nothing about it feels strange.
Tax season is real.
Leadership requests are normal.
Urgency is expected.
So the staff member sends the files.
Except the email didn't come from leadership.
It came from a criminal using a spoofed address or a look-alike domain that's easy to miss on a busy day.
And now that attacker has access to every employee's:
- Full legal name
- Social Security number
- Home address
- Salary and tax data
Everything needed for identity theft.
Everything needed to file fraudulent tax returns before employees do.
How Campuses Usually Find Out
The damage doesn't show up immediately.
Weeks later, faculty or staff begin filing their tax returns.
They get a rejection notice:
"A return has already been filed for this Social Security number."
Someone else already filed it.
Already claimed the refund.
Already took the money.
Now imagine this happening across:
- Faculty
- Administrative staff
- Graduate assistants
- Adjuncts
- Student employees
Suddenly, dozens,sometimes hundreds of people are dealing with:
- IRS identity theft reports
- Credit monitoring
- Delayed refunds
- Months of paperwork
All because of one email that looked routine.
At that point, it's no longer just an IT issue.
It becomes:
- An HR crisis
- A trust issue
- A reputational risk
- A compliance concern
And a situation no institution wants to explain internally or publicly.
Why This Scam Works So Well on Campuses
This isn't a sloppy phishing email.
It works because it fits higher education perfectly.
The timing makes sense.
W-2s are expected in February. No one questions why someone would ask for them now.
The request feels normal.
Payroll data really does get shared with leadership and external accountants.
The urgency is believable.
"Between meetings" and "before deadlines" describes campus life year-round.
The sender looks legitimate.
Attackers research institutions. They know leadership names, titles, and reporting structures. Sometimes they even reference real departments or vendors.
Staff want to be helpful.
Especially when the email appears to come from senior leadership. Verification often feels risky-compliance feels safer.
That's exactly what attackers count on.
How Institutions Can Reduce the Risk Now?
This scam doesn't require advanced hacking.
It succeeds on process gaps and human trust.
That also means it's highly preventable.
Create a strict rule: no W-2s via email.
No exceptions. Payroll and tax documents should never be sent as email attachments regardless of who asks.
Require second-channel verification for sensitive requests.
If someone asks for employee tax data, verification must happen via phone, in person, or an internal system,never by replying to the email.
Brief payroll, HR, and finance teams early.
A short conversation now before peak tax deadlines is far more effective than reactive training after an incident.
Lock down payroll and HR systems with MFA.
Multi-factor authentication won't stop the email but it can stop attackers from escalating if credentials are compromised.
Normalize verification, not speed.
Staff should feel supported not questioned for pausing to confirm requests, even from senior leadership.
When verification is part of the culture, scams lose their advantage.
The Bigger Tax-Season Picture for Higher Education
The W-2 scam is usually just the beginning.
Between now and April, institutions should expect:
- Fake IRS notices demanding immediate action
- Phishing emails disguised as payroll or tax software updates
- Spoofed messages from "external auditors" or "tax consultants"
- Fraudulent invoices disguised as tax-related expenses
Tax season is attractive to attackers because:
- Workloads are heavy
- Deadlines are tight
- Financial requests don't raise alarms
- Staff are moving quickly
Campuses that get through tax season clean aren't just lucky.
They have:
- Clear policies
- Informed staff
- Systems that encourage verification
- Leadership that supports caution over speed
A Final Thought
If one email can expose the personal data of an entire institution's workforce, the issue isn't technology, it's process.
Tax season is already stressful enough in higher education.
Identity theft, compliance fallout, and broken trust don't need to be part of it.
If this doesn't sound like your institution, that's great.
But chances are, you know one where it does.
And a five-minute warning can save months of damage.
