The IRS is warning human resource managers of an “emerging phishing scheme” where cyber thieves steal employees’ personal information by pretending to be company executives.
A number of HR and payroll offices have already been conned into emailing out W-2 forms complete with employees’ Social Security numbers and other personal information, IRS Commissioner John Koskinen noted on the agency’s site.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,” Koskinen said, noting that this latest scam targets companies’ payroll divisions. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
Cyber crooks posing as CEOs also may request HR to turn over their employees’ date of birth, home address and salary information. This IRS warning comes shortly after another IRS warning to all taxpayers after the agency saw a 400% increase this year in phishing and malware incidents.
For companies, HR needs to be on the front lines to ensure employee data is protected. “At a minimum, human resources should have in place written policies regarding the handling of employee PII [personally identifiable information] and provide training designed to protect employee PII against a data breach,” Brian Cesaratto and Adam Forman, attorneys at Epstein Becker & Green, write in TheNationalLawReview.
“Because Human Resources works with employee PII on an everyday basis, it may be the best equipped to secure sensitive personnel information against the type of fraudulent scheme highlighted in the recent IRS alert.”
Cesaratto and Forman write that popular phishing targets are healthcare groups, shipping firms, school districts, restaurants and temporary staffing agencies. “One simple protective measure may be that a phone call confirmation is required before hitting the send button,” they write.
Besides school districts, cyber thieves also have targeted tribal groups and nonprofits, Forbesreports. These groups represent a wider scope beyond the for-profit companies that were the primary targets last year. And these crooks have doubled-down on their initial scam with bolder follow-up emails.
“In the second phase, the ‘executive’ email requests that funds be transferred by wire to a certain bank account to cover payroll or other bills,” notes Forbesstaff writer Kelly Phillips Erb. “The result is that some companies have handed over their employees' forms W-2s as well as thousands of dollars to identity thieves and scammers.”
Companies that spot or have been victimized by a scam can file a complaint with the Internet Crime Complaint Center run by the FBI. They also can contact their respective state tax agencies.