March 22, 2016
The IRS issued an alert on March 1, 2016 to payroll and HR professionals about a new phishing scheme involving W-2 information. Employers need to take immediate steps to confirm the security of their employees’ personal information.
The alert describes a scheme which has already claimed several victims. Payroll and human resources officers have mistakenly emailed payroll data including W-2 forms that contain social security numbers and other personally identifiable information to cyber criminals who posed as company executives.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
The fraudulent email contains the name of the company chief executive officer and requests a list of employees and information including social security numbers from a company payroll employee or outside HR service.
The IRS alert identified the following details included in these emails:
Criminals use this information to file fraudulent tax returns for refunds or otherwise monetize the stolen data.
We recommend that every employer take immediate action to address this phishing variation known as “spoofing.” Employers should contact their outside human resource professional to determine that security protocols are in place to avoid this cybercrime. In house, a review of data protection policies, procedures and technologies should be conducted. Carnegie Mellon University’s list of best practices for mitigating cybercrime is a helpful resource. See Insider Threat Best Practices
This review should be team based including management, HR, IT and legal counsel. Heightened awareness of everyone in the organization may be the first and best protection.