The Internal Revenue Service recently issued an alert to payroll and human resources professionals to beware of a phishing email scam that appears to be from company executives requesting personal information on employees.
The IRS has learned this scheme has already claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives.
IRS Criminal Investigation is already reviewing several cases in which people have been tricked into sharing SSNs with what turned out to be cybercriminals. Criminals using personal information stolen elsewhere seek to monetize data, including by filing fraudulent tax returns for refunds.
This phishing variation is known as a “spoofing” email. It will contain the actual name of the company chief executive officer. In this scam, the “CEO” sends an email to a company payroll office employee and requests a list of employees and information including SSNs.
The following are some of the details contained in the e-mails:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employee’s wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
The IRS issued a wider consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community.
The emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. The phishing schemes can ask taxpayers about a wide range of topics related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.
In order to avoid such cybercrimes in your business, it is imperative for employers to contact their human resource professional to ensure that security protocols are set up to prevent something like this from happening. A review of data protection policies, procedures and technologies should be also be conducted regularly to make sure these types of threats are under control.
The IRS, state tax agencies and tax industry are engaged in a public awareness campaign called “Taxes. Security. Together. ,” which encourages everyone to do more to protect personal, financial and tax data. See IRS.gov/taxessecuritytogether or Publication 4524 for additional steps you can take to protect yourself.