As we enter the 2026 tax filing season, organizations face a heightened risk of cyberattacks targeting employee information. Tax season is a busy time for cybercriminals, who ramp up efforts to trick businesses and individuals into sharing personal information. Bad actors can use stolen personally identifying information (“PII”) in a variety of harmful ways, including to file fraudulent tax returns and claim refunds. Below we provide an overview of the current threat landscape, key warning signs to watch for, practical prevention strategies, and guidance on legal obligations if your organization is targeted.

Tax season phishing schemes represent a particularly dangerous cybersecurity threat that has continued to escalate in recent years. A prominent tactic involves cybercriminals using various spoofing techniques to disguise an email to make it appear as if it is from a legitimate organization executive. These emails are typically sent to payroll or human resources employees and request employee W-2 forms.

W-2 forms are particularly attractive targets for cybercriminals because they contain comprehensive PII, including Social Security numbers. With this comprehensive PII, cybercriminals can file fake tax returns, apply for loans and credit, and commit identity theft in a variety of other destructive manners.

The threat landscape continues to evolve with increasingly sophisticated attack methods. For example, the recent AI boom has made it even easier for bad actors to create highly convincing fake content that can be used to successfully exfiltrate PII.

Organizations and their personnel should remain vigilant for the following indicators of phishing attempts:

Organizations should implement comprehensive safeguards to protect employee PII during tax season and year-round. These include:

A data breach involving employee PII can trigger significant legal obligations and potential liability.

All 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have laws requiring notification of data breaches involving PII if certain circumstances exist. For multi-state employers, compliance becomes complex because an appropriate response requires adherence to the breach notification law of each state where affected individuals reside. These breach notification laws vary regarding the timing in which required notifications must be made (ranging from as soon as 30 days of the breach to “as soon as reasonably practicable”), required content, delivery methods, and whether regulators and credit reporting agencies must be notified.

Noncompliance with breach notification laws can trigger significant fines from regulators. Organizations could also potentially be sued by their employees for a data breach involving employee PII and the resulting harm depending on the applicable state laws.

Phishing schemes targeting employee PII represent a persistent and evolving threat that requires ongoing vigilance, particularly during tax season. Organizations that maintain robust security protocols, provide regular employee training, and have comprehensive incident response plans will be best positioned to prevent attacks and minimize damage when they occur. We encourage clients to review their current data protection practices and update them as needed in light of these heightened risks.