Earlier this month, the IRS issued an alert to payroll and HR professionals to watch out for a scam that aims to obtain employees’ personal information. The scam is a form of a “phishing” email in which a cybercriminal pretends to be someone they are not in order to trick the victim to install malicious software or send money or valuable information.
In this particular scheme, criminals are targeting payroll and HR professionals by purporting to be the company’s CEO asking for W-2 filings or other employee information. The email appears to be coming from the CEO and uses his or her actual name, but a response will be routed back to the hacker. One red flag to look for is if the return email address is not associated with the company. Others include grammatical errors, misspellings, and use of uncommon words like “kindly.”
Scams like this are almost as old as the internet, but are becoming more prevalent and sophisticated. The IRS has seen a 400% increase in phishing and malware incidents this tax season. The Treasury Inspector General for Tax Administration estimates that tax refund fraud losses will reach $21 billion this year.
Some of the phishing emails that have been reported to IRS Criminal Investigation contain the following phrases:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
IRS Commissioner John Koskinen recommends checking out requests for lists of personal employee data before you send the requested information. This is a good idea whether the request appears to be someone at your company or a business partner like your insurance broker or benefits consultant.
While it may be an inconvenience, a quick phone call to verify that a request is legitimate can help prevent employees from becoming victims of identity theft or tax fraud. It can also save you and your company a load of headaches, liability, and embarrassment. To make sure you’re following best practices for cybersecurity, check out IRS.gov/taxessecuritytogether or Publication 4524.