Share

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus convallis sem tellus, vitae egestas felis vestibule ut.

Error message details.

Copy button
Reuse Permissions

Request permission to republish or redistribute SHRM content and materials.

Learn More
News

Don't Fall for These Year-End E-Mail Scams Targeting Payroll Data

IRS and FBI advise warning employees to guard their payroll passwords

December 11, 2018 | Stephen Miller, CEBS
A man is sitting at his desk with his head in his hands.


The IRS and FBI are urging employers to prepare for end-of-the-year scams that aim to steal employee information.

"The holidays and tax season present great opportunities for scam artists to steal valuable information through fake e-mails," IRS Commissioner Chuck Rettig cautioned. While consumers are spending more time online making purchases, payroll staffs are preparing for end-of-the-year tax report deadlines. Rettig advised everyone to "watch your inbox for these sophisticated schemes that try to fool you into thinking they're from the IRS or our partners in the tax community."

The IRS reported a surge of new e-mail phishing scams, with a 60 percent increase this year in bogus e-mail schemes that seek to steal money or tax data. One recent malware campaign used a variety of subject lines such as "IRS Important Notice," "IRS Taxpayer Notice" and other variations insinuating official IRS correspondence.

"The most common way for cybercriminals to steal money, bank account information, passwords, credit card or Social Security numbers is to simply ask for them," the IRS noted. Those who suspect they've received scam e-mails can forward them to the IRS at phishing@irs.gov.

Payroll Data Targeted

Employer payroll systems are particularly tempting targets for thieves. The FBI Internet Crime Complaint Center (IC3) recently alerted employers to a scam aimed at obtaining employees' login information and passwords to access their online payroll accounts and steal employee data, especially bank information relating to direct-deposit credentials.

This is similar to the phishing e-mails sent to businesses, but instead the e-mail is sent to employees requesting they update or confirm their payroll system login information and password using a link to what looks like the payroll system's website. However, the site is actually run by scammers. The thieves "gather the login information and then log in and divert the employee's paycheck to a different bank account," said Greta Cowart, an attorney at Winstead, a Dallas law firm. "The e-mail the employee receives looks legitimate and does not contain the grammatical errors commonly seen in some of the other phishing e-mail scams," she noted.

[SHRM members-only HR Q&A: How can I ensure my company protects personal employee information?]

Safety Measures

To reduce threats to employee information in payroll systems, the FBI recommends that employers:

  • Alert and educate employees about this scheme, including how to respond should a breach occur.
  • Instruct employees to hover their cursor over hyperlinks included in e-mails they receive to view the actual URL, and ensure the URL is actually associated with the company it purports to be from.
  • Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to any e-mail.
  • Direct employees to forward suspicious requests for personal information to the information technology or HR department.
  • Ensure that log-in credentials used for payroll purposes differ from those used for other purposes.
  • Apply heightened scrutiny to bank information requests initiated by employees seeking to update or change direct-deposit credentials.
  • Monitor employee logins that occur outside normal business hours.
  • Implement two-factor authentication for access to sensitive systems and information.

The FBI encourages victims to report actual or suspected payroll-data thefts to their local FBI field office and file a complaint with the IC3 at www.ic3.gov, noting "payroll diversion" in the complaint.

"Employers may want to instruct their employees not to provide log-in information or any personal information in response to any e-mail," Cowart advised.

Employers contracting with vendors receiving employees' personal information, including outsourced payroll administrators, "should be certain the vendors are contractually bound to protect the information they receive from both internal and external threats and keep such information appropriately secured," she recommended.

Employers should also instruct their service providers to alert them regarding any suspicious activity that could put employee information at risk.

Related SHRM Articles:

Employees Are Key to Curbing Data-Breach Risks, SHRM Online, November 2018

6 Ways HR Can Help Prevent a Data Breach, SHRM Online, March 2018


Business Acumen
Compensation
Payroll
Risk Management

Related Content
News
Rising Demand for Workforce AI Skills Leads to Calls for Upskilling

As artificial intelligence technology continues to develop, the demand for workers with the ability to work alongside and manage AI systems will increase. This means that workers who are not able to adapt and learn these new skills will be left behind in the job market.

A vast majority of U.S. professionals think students should be prepared to use AI upon entering the workforce.
In Focus
Employers Want New Grads with AI Experience, Knowledge

A vast majority of U.S. professionals say students entering the workforce should have experience using AI and be prepared to use it in the workplace, and they expect higher education to play a critical role in that preparation.

View All

Advertisement
Artificial Intelligence in the Workplace

​An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.

Advertisement