This is a good time of year to be reminded that you need to take special precautions to protect against the spreading depredations of W-2 phishing scams.

This type of cyber-scam is considered a form of spear-phishing and is also known as business e-mail compromise (BEC) attack, and CEO spoofing. Spear-phishing attacks target a specific victim by using personal or organizational information to earn the victim’s trust.

When it comes to W-2 phishing scams, hackers obtain W-2 Forms for the purpose of filing fraudulent tax returns to obtain large refunds. These phishing e-mails typically show up around the time after firms have distributed W-2 forms to their employees.

This time, threat actors came up with a tax document phishing scam that abuses TypeForm forms to steal users’ login credentials. TypeForm is a popular online service platform specializing in surveys and forms used to collect legitimate information.

ArmorBlox researchers recently released a report outlining a phishing scam that aims to take advantage of the 2021 tax season by pretending to be a W-2 tax document shared via Microsoft OneDrive.

Users receive an email pretending to be from OneDrive where a file named ‘2020_TaxReturn&W2.pdf ‘ is shared with the user.

tax scam email image heimdal security

W2 tax scam email impersonating an automated OneDrive file-sharing communication

Image Source: ArmorBlox

When the recipient clicks on the link to retrieve the document, he is redirected to a TypeForm form that includes a blurred out 2020 W-2 tax document pretending to be secured by the Adobe Secure Document service.

However, when the user tries to enter his credentials, the form will continually state that they are incorrect until it finally displays a message saying the service was “Unable to verify your identity.”

tax scam phishing form image heimdal security

Phishing page using Typeform

Image Source: ArmorBlox

According to the ArmorBlox researchers, these repeated failed login messages are in fact a cover for the threat actors trying to capture as many credentials as possible.

It’s likely that the error messages could be a smokescreen for the attackers to gather as many account ID and password combinations as unsuspecting victims are willing to enter in an attempt to brute-force their way to gain access to the W2. In reality, there is no W2 pot of gold at the end of this malicious rainbow.


This is not the only legitimate form creation service to be abused by threat actors. Other phishing campaigns have used Google Forms and Canva to steal login credentials.

At the beginning of the month, the US Department of Justice warned that hackers are creating COVID-19 vaccine survey scams for consumers. Attackers promise victims money or rewards for filling out the phony surveys. In reality, they just collect the filled-out personally recognizable details to sustain scam plans including identity theft.

Last month, the US Internal Revenue Service (IRS) warned of ongoing phishing attacks impersonating the IRS and targeting educational institutions. Threat actors use tax refund payment baits sending an automated email informing applicants that they are eligible for a $1,400 tax refund.

To prevent these types of scams, it is always important to check unexpected emails, especially those containing links to shared documents or that ask you to log in to a service.

In general, there are signs that allow you to detect that something is not right like senders using free email services, spelling errors, poor grammar, or unusual requests from the sender.

What is Spear Phishing? Definition, Examples, Prevention Strategies

Hackers Use Vaccine Surveys to Steal Personal Information

Universities Targeted in Ongoing IRS Phishing Attacks

Leave a Reply

Your email address will not be published. Required fields are marked *