Form W-2 Cybercriminals Target HR and Payroll
Author: Rena Pirsos, XpertHR Legal Editor
March 1, 2016
HR and payroll professionals are falling prey to a current phishing scheme that lures them to respond to emails purportedly sent by company executives requesting private employee information, the IRS warned today. The scam tricks those in HR and payroll into emailing private employee data, such as Forms W-2 containing employees' Social Security Numbers (SSNs) and other personally identifiable information, to cybercriminals.
This new warning follows the IRS's recent release of its annual "Dirty Dozen" list of tax scams, which has identity theft topping the list and which gives special mention to phone scams and phishing schemes. The IRS also reports that e-mail schemes targeting the wider tax community have surged by a whopping 400 percent in the first few months of 2016 alone.
"This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments," said IRS Commissioner John Koskinen. "If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees."
These "spoofing emails," as the IRS refers to them, often contain the actual name of the company CEO, who appears to be requesting a company payroll office employee to respond with a list of employees and information including SSNs. The IRS alert includes the following actual examples of some of the details contained in the fraudulent emails:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2s of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address and Salary) as of 2/2/2016?
- I want you to send me the list of W-2 copies of employees' wage and tax statements for 2015. I need them in a PDF file. You can send it as an attachment. Kindly prepare the lists and email them to me asap.
To involve employers in the fight against identity theft, last year, the IRS issued guidance on the taxability of identity protection services provided by an employer at no cost to employees whose personal information may have been compromised in a data breach. In addition, the IRS, state tax agencies and the tax industry are engaged in a public awareness campaign - Taxes. Security. Together. - that provides practical steps employers and individuals can take to protect personal, financial and tax data.