… it’s not quite the season yet.
So, instead, I am making a general recommendation.
Never respond to emails that request sensitive information (personal, business, or otherwise) without verifying the identity and the legitimacy of the requesting party. This means picking up the phone and calling the requester using a known good contact phone number (you can’t trust information in the email.)
This post was prompted by thoughts of HR folks seeing phishing emails requesting W-2 information. In case I forget to post about it in January: HR types need to be particularly phishing-aware. If your boss or CEO or President wants to see all your W-2 info – well, yeah, that deserves a phone call before you reply.
Good luck out there!