The IRS has issued an official warning to payroll and human resources professionals.

IRS Warns HR Leaders About Phishing Scams

With tax season well underway, the IRS has issued an official warning to payroll and human resources professionals to beware a new email phishing scheme designed to scoop up W-2s and exploit the personal information within. The scammers present themselves as high level administrators of a company looking to access employee W-2s – with their true intent being to gain access to employee social security numbers to defraud workers.

New Twist on an Old Scheme

“The IRS has issued an official warning to payroll and HR professionals.”

“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen in the IRS alert. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.” Scammers can easily obtain the required information about HR leaders and CEO names from a cursory search through sites like LinkedIn and use that information to personalize their phishing emails. This has already exposed thousands of employees’ personal data at companies nationwide.

‘Kindly Prepare’

One feature of the emails is the use of the word “kindly,” typically applied by asking for payroll officers to “kindly send individual 2015 W-2s” or “kindly prepare employee lists” in PDF form. RiskBased Security speculates that the scammers are targeting HR staffers involved with payroll since these workers often “have little day-to-day interaction” with administrators who may be seeking the information. “Phishing is nothing new and this most recent wave of targeted attacks is a perfect example of how old fashioned trickery is still one of the most effective means of acquiring data,” writes a representative from RiskBased Security. “All it took to scoop up thousands of records perfectly suited for filing false tax returns was a timely request for payroll information apparently from a known individual with reason to ask.”

400 Percent Increase

The IRS has seen an overall increase of nearly 400 percent in phishing attacks and malware this tax season, with companies of all shapes and sizes being targeted. Social media app Snapchat was one of the most prominent victims in 2015, after the Los Angeles company’s payroll department reported being tricked by an email impersonating its CEO, Evan Spiegel, into revealing an unspecified number of employees’ personal data. “When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong,” wrote Snapchat in a post on its corporate blog. Both the IRS and RiskBased Security recommends increased training and remaining vigilant against suspicious-seeming requests. Even a modicum of additional checks would be a minimal operational concern and lead to increased security.  

free ebook improve hr through technology

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply