The IRS recently renewed its warning about an email scam that uses a corporate officer’s name to request employee Forms W-2 from company payroll or human resources departments. This phishing variation is known as a “spoofing” e-mail. It will contain, for example, the actual name of the company chief executive officer. In this variation, the “CEO” sends an email to a company payroll office or human resource employee and requests a list of employees and information including SSNs.
Last year, cybercriminals tricked payroll and human resource officials into disclosing employee names, SSNs and income information. The thieves then attempted to file fraudulent tax returns for tax refunds.
The following are some examples of what may be contained in the emails:
- Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
The email scam is making its way across the nation for a second time, with the IRS urging company payroll officials to double check any executive-level or unusual requests for lists of Forms W-2 or Social Security numbers.
To reduce the likelihood of being victimized by business email compromises, consider adopting these practices suggested by Ballard Spahr LLP:
- Adopt policies and procedures that prohibit or severely restrict the transmission of employee W-2 data by email;
- Use technical controls focused on anti-phishing, data loss prevention, and digital rights management of files containing W-2 information;
- Ensure that any W-2 information that must be emailed is encrypted and that the decryption key is not included in or transmitted by email;
- Require multi-factor authentication for any email request for W-2 or other sensitive data—such as telephone or face-to-face confirmation of the email request or provision of a verbal verification code known only to the parties before the data is transmitted or the decryption key provided; and
- Provide relevant and periodic training of employees to spot such schemes and adhere to company policies and procedures regarding sensitive data.
For more information, please contact our HR experts.