A hacker posing as Sunrun CEO Lynn Jurich obtained the W-2 tax forms — including Social Security numbers and salary details — for many employees of the San Francisco solar firm, the company said Friday.

The incident represents the latest example of a spear-phishing attack timed to coincide with the start of tax-filing season. Spear-phishing attacks use carefully tailored, detailed emails to trick recipients into divulging sensitive information.

Someone pretending to be Jurich sent Sunrun’s payroll department an email on Jan. 20 requesting employee W-2 forms, which companies typically send their employees this month.

“Unfortunately, the phishing email wasn’t recognized for what it was — a scam — and employee W-2s for 2016 were disclosed externally,” the real Jurich wrote to Sunrun employees in a memo this week.

The Chronicle first reported the hack online Friday morning after receiving a copy of Jurich’s memo. A Sunrun spokeswoman confirmed the data breach later that day, saying “a substantial portion” of the company’s current and former employees had been affected. Sunrun, a pioneer of solar leases for homeowners, has about 4,000 employees nationwide.

According to the company, no customer data was disclosed.

“Sunrun recognized the issue within one hour of the scam and immediately began working with the proper authorities,” the company said Friday. “We are committed to the safety and security of our employees’ information and will continue to work diligently to increase the security of our systems and implement tighter controls.”

Affected employees can sign up for an identity theft protection program offered by Experian, with Sunrun covering the costs for two years. The company will also revise its internal training program on data security, according to the memo.

The memo advises affected employees to file their taxes as early as possible. Since W-2 forms reveal a taxpayer’s address, Social Security number, salary and taxes withheld, scammers can use them to file fraudulent tax returns and steal the refunds.

Glenn Massamillo, a former employee who left Sunrun last year, said he had already spoken to his accountant about speeding up the filing process. He was also weighing whether to sign up for the Experian program.

But he questioned why Sunrun’s payroll department fell for the scam. A request for something as sensitive as employee W-2s, he said, should have prompted an attempt to verify the request, he believes.

“There’s some level of extreme incompetence that took place, just from the standpoint of the way the scam was described,” said Massamillo, who worked in business development for Sunrun’s New Jersey operations. “I can’t imagine that happening without some sort of verification process, like, ‘Really, Lynn, do you really want this?’”

A similar incident hit Cupertino’s Seagate Technology last March, affecting thousands of employees. And in May, ADP, which processes payroll and tax forms for hundreds of thousands of corporate clients, said that hackers had been able to access some tax forms by impersonating its customers’ employees with stolen personal data.

Unlike hackers trying to break into corporate computer systems, perpetrators of this type of scam focus on manipulating humans, not lines of code.

The emails are tailored to look like they come from within the organization, even if a close examination would show slight differences in the address. Scammers typically impersonate a high-ranking executive, send the email to a subordinate and demand a fast response.

“There’s a sense of urgency,” said Neil Wynne, a senior analyst at the Gartner research firm. “Given who this is appearing to come from, it feels like your job is on the line.”

Many companies try to protect themselves by teaching employees to look for signs that an email didn’t come from within the organization, such as checking the address for discrepancies.

And yet, considering the sophistication of the attacks, Wynne recommends adding a layer of defense by insisting that employees verify all online requests for money transfers or sensitive information.

And that verification should happen over a different form of communication than the original request. So if the request arrives via email, employees could be required to verify it by phone rather than just responding to the original email, Wynne said.

“They’re so well-crafted that there’s only so much you can tell an employee, and even then, they still might fall prey to this,” he said. “A subordinate shouldn’t hesitate to pick up the phone and validate this with the CEO or the CFO.”

David Baker is a San Francisco Chronicle staff writer. Email: dbaker@sfchronicle.com Twitter: @DavidBakerSF