Heads up: Cybercriminals are specifically targeting HR professionals with a tax-season scam that’s already hurt a number of employers.
The scam centers around an urgent email from upper management, like the CFO or the VP. An HR professional will an urgent email from their boss – or boss’s boss – that seems legitimate and essentially asks the staffer to hand over W-2s.
‘Exception to normal protocol’
Here’s an example of the type of language that email request may use:
I’m in the middle of a negotiation so won’t be available by cell or e-mail but I need you to send W-2s for the management team to our new accountants. You can e-mail them to [____________]. Needs to be done today. Sorry for the rush on this and please take this as an exception to normal protocol. Thanks. – Alan
Sound familiar? The IRS was warning employers about a similar type of scam last tax season.
That scam involved an email from the CEO to a company payroll or HR employee. In the email, the individual/individuals posing as the CEO will ask the employee receiving the email to provide a variety of personal information for “review” by the exec.
The specific info requests IRS warned employers to avoid:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, salary) as at 2/2/2016?
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.
From training to verification
To help your company stay safe, the folks over at SHRM offered the following strategies for employers:
- Roll out training for employees on cybersecurity awareness (many firms don’t do this)
- Use common sense and avoid making electronic requests for sensitive data. It’s not just an e-mail threat; phishing by text is also on the rise, and
- Have HR, Benefits and any other relevant departments verify any requests if they are made directly from execs.