By Heather Steele
Another new phishing scheme has tricked numerous employers into disclosing highly sensitive, employee information.
In the wake of tax season, spoofing emails were sent to payroll and human resource personnel at various companies. The emails, appearing to be requests from upper level company officials, including in some instances the companies’ CEOs, requested employee W-2 tax forms that contain Social Security numbers and other personally identifiable information.
New type of tax season scam
Already, companies that have fallen victim to the scheme have received reports of fraudulent tax returns filed on behalf of employees by cybercriminals who have collected their information.
The IRS recently issued an alert to payroll and human resources personnel to beware of this phishing scheme.
IRS Commissioner John Koskinen stated:
This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments … If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
Watch for red flags
Employers should counsel their employees to carefully evaluate all requests for personal employee information and to identify red flags, such as information that is not typically requested and/or requests from individuals with whom the employees do not typically directly communicate.
The Definitive Guide to Onboarding
Also, given the timing of this scam and its proximity to tax season, employers who have been victimized by the scam should consider encouraging their employees not only to monitor their credit reports and take all of the usual measures to prevent identity theft, but also to file their tax returns as soon as possible in an effort to avoid the filing of fraudulent tax returns on their behalf.
This was originally published on the Fisher & Phillips Employment Privacy blog.