Don't Fall for These Year-End E-Mail Scams Targeting Payroll Data

The IRS and FBI are urging employers to prepare for end-of-the-year scams that aim to steal employee information.

"The holidays and tax season present great opportunities for scam artists to steal valuable information through fake e-mails," IRS Commissioner Chuck Rettig cautioned. While consumers are spending more time online making purchases, payroll staffs are preparing for end-of-the-year tax report deadlines. Rettig advised everyone to "watch your inbox for these sophisticated schemes that try to fool you into thinking they're from the IRS or our partners in the tax community."

The IRS reported a surge of new e-mail phishing scams, with a 60 percent increase this year in bogus e-mail schemes that seek to steal money or tax data. One recent malware campaign used a variety of subject lines such as "IRS Important Notice," "IRS Taxpayer Notice" and other variations insinuating official IRS correspondence.

"The most common way for cybercriminals to steal money, bank account information, passwords, credit card or Social Security numbers is to simply ask for them," the IRS noted. Those who suspect they've received scam e-mails can forward them to the IRS at phishing@irs.gov.

Payroll Data Targeted

Employer payroll systems are particularly tempting targets for thieves. The FBI Internet Crime Complaint Center (IC3) recently alerted employers to a scam aimed at obtaining employees' login information and passwords to access their online payroll accounts and steal employee data, especially bank information relating to direct-deposit credentials.

This is similar to the phishing e-mails sent to businesses, but instead the e-mail is sent to employees requesting they update or confirm their payroll system login information and password using a link to what looks like the payroll system's website. However, the site is actually run by scammers. The thieves "gather the login information and then log in and divert the employee's paycheck to a different bank account," said Greta Cowart, an attorney at Winstead, a Dallas law firm. "The e-mail the employee receives looks legitimate and does not contain the grammatical errors commonly seen in some of the other phishing e-mail scams," she noted.

[SHRM members-only HR Q&A: How can I ensure my company protects personal employee information?]

Safety Measures

To reduce threats to employee information in payroll systems, the FBI recommends that employers:

• Alert and educate employees about this scheme, including how to respond should a breach occur.
  

• Instruct employees to hover their cursor over hyperlinks included in e-mails they receive to view the actual URL, and ensure the URL is actually associated with the company it purports to be from.
  

• Instruct employees to refrain from supplying log-in credentials or personally identifying information in response to any e-mail.
  

• Direct employees to forward suspicious requests for personal information to the information technology or HR department.
  

• Ensure that log-in credentials used for payroll purposes differ from those used for other purposes.
  

• Apply heightened scrutiny to bank information requests initiated by employees seeking to update or change direct-deposit credentials.
  

• Monitor employee logins that occur outside normal business hours.
  

• Implement two-factor authentication for access to sensitive systems and information.
  

The FBI encourages victims to report actual or suspected payroll-data thefts to their local FBI field office and file a complaint with the IC3 at www.ic3.gov, noting "payroll diversion" in the complaint.

"Employers may want to instruct their employees not to provide log-in information or any personal information in response to any e-mail," Cowart advised.

Employers contracting with vendors receiving employees' personal information, including outsourced payroll administrators, "should be certain the vendors are contractually bound to protect the information they receive from both internal and external threats and keep such information appropriately secured," she recommended.

Employers should also instruct their service providers to alert them regarding any suspicious activity that could put employee information at risk.

Related SHRM Articles:

Employees Are Key to Curbing Data-Breach Risks, SHRM Online, November 2018

6 Ways HR Can Help Prevent a Data Breach, SHRM Online, March 2018