W-2 Scams Are Targeting Engineering Firms Early This Year
It’s February in Salt Lake City. Engineering teams are syncing CAD files, wrapping up Q1 deadlines, and running full steam on municipal and infrastructure bids.
And while your ops manager is digging through last year’s vendor invoices and your bookkeeper is prepping 1099s, there’s a different kind of threat creeping into inboxes across the Wasatch Front.
It’s not a software update. It’s not a plotter jam. It’s a cyber scam—and it hits engineering firms right where it hurts: payroll.
The W-2 Scam: Why It Works So Well in Engineering Offices
Here’s how it unfolds:
Your HR coordinator or admin (who also happens to manage project onboarding and payroll) gets an email. It looks like it’s from the principal engineer, the founder, or a project lead.
The message is short, direct, and familiar:
"Hey, can you send me the W-2s for the team? I need them for a quick meeting with our CPA. Swamped today—thanks."
Sounds normal, right? In February, it is. Especially in firms juggling bid schedules and tax prep.
So they send it.
But it wasn’t your principal engineer. It was a cybercriminal who spoofed the domain or used a lookalike email.
Now they have your entire team's:
- Full names
- Social Security numbers
- Salary info
- Home addresses
- And everything else needed for identity theft or to file fake tax returns
When Your Engineers Find Out, It’s Too Late
It usually hits like this:
One of your engineers files their taxes. The return bounces.
"This SSN has already been used."
Someone beat them to the IRS using the data your office unknowingly leaked.
Now it’s not just their problem. It’s yours.
As an engineering firm, you depend on trust, precision, and operational integrity. But this kind of breach sends a different message to your team:
- That leadership didn’t put the right safeguards in place.
- That your internal policies are outdated.
- That your MSP didn’t catch a basic red flag.
And worst of all: that you can’t protect your own people.
Why Salt Lake City Engineering Firms Are Prime Targets
This scam works especially well in firms like yours because:
- The timing is perfect. Engineers expect W-2s to move this time of year. A request from leadership doesn’t seem suspicious.
- The tone fits your culture. Most firms run lean. Quick, no-fluff communication is the norm. So no one questions a short, urgent email.
- Admin staff wear multiple hats. When HR, payroll, and project support are rolled into one person, there's less time for verification.
- The sender looks real. Cybercriminals do their homework. They know who your managing partner is. They even know your accounting firm's name.
- People want to be helpful. Especially in engineering culture, where taking initiative is prized. Urgency often overrides verification.
How to Shut This Down Now
The good news? This is fixable.
You don’t need a huge cybersecurity budget. You need five simple controls that any engineering firm in Salt Lake can put in place this week:
- Ban W-2s Over Email
Make it firm policy: no W-2s or sensitive payroll docs ever get sent via email. Not to partners. Not to CPAs. Not to anyone. These documents should live behind MFA-protected payroll systems—not in inboxes.
- Always Verify Via a Second Channel
If someone asks for employee data, verify it through a phone call, Teams chat, or walk down the hall. Don’t reply to the email. Use a known number.
- Run a 10-Minute Tax Scam Huddle
Your team doesn’t need a 2-hour training. Just pull your ops and admin staff together and say:
"These scams are going around right now. Here’s what they look like. If you see one, verify it."
It’s the best ROI you’ll get all week.
- Enforce MFA on Payroll & HR Portals
Your Gusto, QuickBooks, ADP or whatever system you use? Lock it down with multi-factor authentication. If someone does get phished, this is your last line of defense.
- Normalize Caution
If someone on your team double-checks a request from the boss, praise them.
Create a culture where verification is expected, not eye-rolled.
This isn’t paranoia. It’s policy.
Bigger Threats Are Coming
This W-2 scam is just the beginning.
Over the next 60 days, Salt Lake engineering firms will see a wave of tax-themed attacks:
- Fake DocuSign links from "your accountant"
- Spoofed messages from the IRS
- Malware disguised as tax software updates
- Invoice phishing hidden inside project billing emails
Hackers love tax season because finance and ops teams are stressed, moving fast, and expecting unfamiliar requests.
The only firms that get through clean? The ones that prepare.
Are You Ready?
If you already have a no-W-2-email rule, MFA, and a verification process in place—excellent. You’re ahead of most Salt Lake firms.
If you don’t? Now is the time.
At Qual IT, we work with engineering firms across Salt Lake City to build cybersecurity policies that match their real workflows. No jargon. No fluff. Just practical, industry-specific IT support that protects your team and keeps operations moving.
Click here to book your free network assessment.
We’ll review your risk points, evaluate your email defenses, and help you implement policies your whole team can stick to.
Because tax season is hard enough without identity theft making it worse.
