The IRS issued an alert on March 1, 2016 to payroll and HR professionals about a new phishing scheme involving W-2 information. Employers need to take immediate steps to confirm the security of their employees’ personal information.
The alert describes a scheme which has already claimed several victims. Payroll and human resources officers have mistakenly emailed payroll data including W-2 forms that contain social security numbers and other personally identifiable information to cyber criminals who posed as company executives.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
The fraudulent email contains the name of the company chief executive officer and requests a list of employees and information including social security numbers from a company payroll employee or outside HR service.
The IRS alert identified the following details included in these emails:
- Kindly send me the individual 2015 W-2 (pdf) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, and salary).
- I want you to send me the list of W-2 copy of employees’ wage and tax statements for 2015, I need them in pdf file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
Criminals use this information to file fraudulent tax returns for refunds or otherwise monetize the stolen data.
We recommend that every employer take immediate action to address this phishing variation known as “spoofing.” Employers should contact their outside human resource professional to determine that security protocols are in place to avoid this cybercrime. In house, a review of data protection policies, procedures and technologies should be conducted. Carnegie Mellon University’s list of best practices for mitigating cybercrime is a helpful resource. See Insider Threat Best Practices
This review should be team based including management, HR, IT and legal counsel. Heightened awareness of everyone in the organization may be the first and best protection.