Several more companies have fallen prey to W-2 phishing scams in the three weeks since the Internal Revenue Service (IRS) warned about such attacks on March 1, 2016.
The IRS alerted human resource and payroll departments that cyber-criminals, posing as company executives, would attempt to lure HR employees to e-mail them sensitive payroll data, including W-2s, containing workers’ Social Security numbers, salary information, dates of birth, addresses and other personally identifiable data. The information is prized by thieves wishing to file for and steal tax refunds.
It’s a growing trend each tax season; there’s been a nearly 50 percent increase in consumer identity theft complaints last year related to tax refund fraud, according to the Federal Trade Commission.
How It Works
Data thieves pretend to be company executives by rigging e-mails to look legitimate. For example, HR professionals or payroll employees will receive a fake e-mail from what seems to be the CEO’s e-mail account asking to send him or her personally identifiable information about employees of the company, including W-2s.
According to the IRS, these are some excerpts from the phony e-mails:
- “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
- “Can you send me the updated list of employees with full details (name, Social Security number, date of birth, home address and salary)?”
- “I want you to send me the list of W-2 copy of employees’ wage and tax statement for 2015. I need them in PDF file type. You can send it as an attachment. Kindly prepare the lists and e-mail them to me ASAP.”
Preventing Data Theft
In cases like these, HR should check out the request before responding. Pick up the telephone and call the executive to verify the request.
The IRS lists these basic steps to keep workforce information secure:
- Use security software with firewall and anti-virus protections.
- Ensure the security software is always turned on and can automatically update.
- Encrypt sensitive files such as tax records stored on your computer.
- Use strong passwords.
- Learn to recognize and avoid phishing or spoofing e-mails.
- Do not click on links or download attachments from unknown or suspicious e-mails.
- Don’t leave hard copies of employees’ W-2s lying around the office.
Victims of Data Theft: What to Do
If you do fall victim to an e-mail phishing scam, you should notify the FBI and affected employees immediately. Companies should also provide credit monitoring for employees and consider having a comprehensive cyber liability insurance policy to cover for any liability associated with a data breach.
For assistance with this or other HR-related concerns, please contact CJC Human Resource Services www.cjchrservices.com