Tax Season Scams Hit Small Businesses in Frankfort First. Here’s the One That Costs Teams the Most.

By Jeff Reiter, CEO, RWK IT Services

February in Frankfort, Illinois usually means one thing for business owners: everything speeds up.

Payroll runs. W-2s and 1099s. Vendor invoices. “Can you send this to the accountant today?” moments.

And that’s exactly why scammers love this season.

The first tax-season issue many small businesses face isn’t a form; it’s an email scam that looks like it came from you.

If one person handles payroll (or “whoever wears the HR hat”), this is the one to stop before it starts.

The W-2 Scam: What It Looks Like in Real Life

Your payroll or office manager gets a short email that appears to be from the owner, CEO, or a senior leader.

It’s urgent. It’s believable. It sounds normal for February:

“Hey - can you send me copies of all employee W-2s for the accountant? Need them ASAP.”

Your employee wants to help, so they send the files.

Except… it wasn’t you.

It was a criminal using a spoofed address or a look-alike domain (a tiny variation that’s hard to notice).

Now they have employees:

  • full names
  • home addresses
  • Social Security numbers
  • pay details

That’s enough for identity theft and fraudulent tax filings.

Why This Hurts More Than “Just IT”

Most businesses find out when an employee files taxes and gets rejected because a return was already submitted.

Now your employee is stuck in a mess.

And you’re dealing with something bigger:

This becomes a trust problem inside your business, not just a “cybersecurity” problem.

Small teams run on trust. Scammers know that, and they target small businesses across Frankfort, Will County, Illinois, and northwest Indiana because fast-moving teams are easier to pressure.

Why This Scam Works So Well on Small Businesses

This isn’t the obvious “bad grammar” scam.

It works because:

  • The timing is perfect. W-2 requests are normal in February.
  • The ask is reasonable. It’s not “wire $50,000.” It’s “send a tax document.”
  • The urgency feels real. Busy teams default to speed.
  • It looks like leadership. Scammers research names and titles.
  • Small teams run on trust. Scammers exploit that.

How to Stop the W-2 Scam This Week (Without Overcomplicating Anything)

You don’t need paranoia. You need a few clear rules plus the right guardrails.

1) Make a “No W-2s by Email” Rule

  • No attachments. No exceptions.
  • If someone needs payroll documents, they come from a secure system or secure transfer method, not email.

2) Require Second-Channel Verification

  • Any request for employee data must be verified using a second channel:
  • phone call
  • in-person confirmation
  • a known Teams/Slack message
  • an approved ticket & approval workflow
  • Do not reply to the email to verify. Use contact info you already have.

3) Do a 10-Minute Tax Scam Huddle

Tell payroll/admin staff:

  • this scam spikes right now
  • here’s what it looks like
  • here’s the rule: verify plus no attachments

4) Lock Down Access Where Employee Data Lives

Payroll systems, HR platforms, benefits portals, and Microsoft 365 should have:

  • multi-factor authentication (MFA) enforced
  • least-privilege access (not everyone needs admin rights)
  • audit logs enabled so you can trace what happened

5) Make Verification a Culture

The employee who double-checks a “boss request” should be thanked, not teased.

That one habit prevents breaches.

The Security Upgrades Small Businesses Are Making in 2026 (Without Hiring a Big IT Department)

Most small businesses don’t need a massive security program.

They need a right-sized approach that quietly blocks the stuff that hits first, especially during tax season.

Here are the areas we’re helping small businesses improve:

Microsoft 365 Protection and AI Guardrails

If you use Microsoft 365, the default settings are built for convenience, not business-grade security.

The right improvements include:

  • enforcing strong sign-in protections
  • limiting admin access
  • securing file sharing and guest access
  • putting clear boundaries around AI tools so sensitive data doesn’t get pasted into the wrong place

Zero-Trust Basics

Zero trust doesn’t mean “trust nobody.”

It means:

  • verify every login
  • limit what users can access
  • reduce the blast radius if an account gets compromised

Cyber Liability Readiness (Including AI Policies)

Owners are getting asked harder questions by:

  • insurance carriers
  • compliance requirements
  • clients and vendors

A practical cyber liability program helps you document:

  • policies (including an AI acceptable use policy)
  • approvals and training
  • security controls in place
  • evidence needed for renewals and audits

Incident Response Plan

When something goes wrong at 4:55 PM on a Friday, you don’t want guesswork.

A simple incident response plan clarifies:

  • who to call
  • who can authorize shutdowns
  • what not to do
  • how to preserve evidence and restore safely

Email Protection That Stops “Fake Boss” Messages

Email impersonation is still one of the biggest small business threats.

The right email authentication setup makes it much harder for criminals to impersonate your domain, especially during tax season.

Quick Gut Check for Frankfort & Illinois Businesses

  • If an email “from you” asked for W-2s, would your team verify it another way?
  • Do you have a rule against sending payroll docs as attachments?
  • Is MFA enforced for payroll/HR/Microsoft 365?
  • Can you list who has admin rights, and why?
  • Do you have an incident response plan that fits your team?
  • Do you have email protections to reduce spoofing?

If any of those are a “maybe,” you’re not behind. You’re normal.

But tax season is when scammers cash in on “maybe.”

Want a Fast Tax-Season Security Check

If you’re in Frankfort, Illinois (or anywhere in Illinois), we can do a quick review focused on what hits first during tax season:

  • payroll/HR access and MFA
  • W-2 verification rules
  • email protections (DMARC/SPF/DKIM)
  • Microsoft 365 security settings that small businesses miss
  • a simple “if this happens, do this” incident response playbook

If you’re solid, great, peace of mind.  If you’re not, you’ll leave with a simple plan.

Because tax season is stressful enough without identity theft layered on top.

RWK IT Services

9645 Lincolnway Ln Ste 101, Frankfort, IL 60423
Serving all of Illinois and northwest Indiana

If everything looks solid, you’ll leave with peace of mind.  If it doesn’t, you’ll leave with a simple plan.

Because tax season is stressful enough without identity theft on top of it.

Frequently Asked Questions

1) What should we do if W-2s were emailed to the wrong person?

If W-2s (or any employee tax documents) were sent to the wrong recipient, treat it as a serious data exposure, because it includes Social Security numbers and other sensitive information.

Start with these steps:

  • Stop the leak: confirm no more documents are being sent and preserve the original email (don’t delete it).
  • Notify leadership immediately: the owner/leadership team should be aware right away.
  • Contact your IT/security partner: they can check email logs, confirm whether the message was spoofed, and secure accounts.
  • Reset access where needed: change compromised passwords and enforce MFA on Microsoft 365 and payroll/HR systems.
  • Document everything: dates, who sent what, and to whom. This matters for insurance and legal guidance.
  • Get guidance on notification obligations: Illinois businesses may have legal notice requirements depending on what was exposed.

2) How do we prevent spoofed emails that look like they come from the owner or CEO?

Spoofed “boss emails” are one of the most common ways scammers steal information during tax season.

The strongest approach is a combination of:

  • Email authentication (domain protection): this reduces the chance criminals can impersonate your company email domain.
  • Verification rules: a clear policy like “no W-2s by email” plus a “second-channel verification” requirement.
  • Stronger sign-in security: MFA and least-privilege access inside Microsoft 365.
  • Training for the people most targeted: payroll/admin/finance staff should know the pattern and what to do.
  • For small businesses across Illinois and northwest Indiana, these guardrails prevent the “it looked real” moment that causes the damage.

If you’re in Frankfort or anywhere in Illinois, the best move is to respond fast and methodically, so you protect employees and reduce long-term fallout.

3) Do small businesses really need Microsoft 365 security hardening?

Yes, especially if your business runs Microsoft 365 for email, files, and collaboration.

Microsoft 365 is powerful, but many small businesses are still using default settings, which can leave gaps like:

  • too many admin accounts
  • risky file sharing permissions
  • weak sign-in protections
  • not enough visibility when something suspicious happens
  • unclear boundaries for built-in or connected AI tools

“Hardening” doesn’t mean making life harder for your staff. It means setting it up, so email, files, and logins are business-grade secure without constant hassle.

4) What’s the simplest incident response plan a small business can have?

A simple incident response plan is often a one-page document that answers three things:

1) Who do we call?

  • IT/security contact
  • key internal decision maker
  • cyber insurance contact (if you have it)

2) What are the first steps?

  • isolate affected accounts/devices
  • preserve evidence (don’t wipe things in panic)
  • reset credentials & enforce MFA
  • communicate internally with one clear point-person

3) What do we NOT do?

  • don’t email new passwords
  • don’t delete the suspicious email
  • don’t “factory reset” devices before review
  • don’t make public statements until you know what happened

For businesses in Frankfort, IL and across Illinois, this kind of simple plan prevents costly confusion when something hits at the worst possible time.