Not a Member? Get access to HR news and resources that you can trust.
HR professionals share their advice for minimizing worker stress and boosting retention.
Is your employee handbook ready for the changing world of work? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Virtual SHRM-CP/SHRM-SCP Certification Prep Seminars kick off September 12 and fill up fast!
Expand your influence and learn how to become an effective leader. Join us in Phoenix, AZ | OCTOBER 2 - 4, 2017
Cyber thieves are now after W-2s in an apparent effort to file fake tax returns and claim refunds from the federal government.
Posing as company executives, cybercriminals have gotten HR professionals to e-mail them sensitive payroll data—including W-2s—with Social Security numbers, salary information, dates of birth, addresses and other personally identifiable data, according to a news release from the Internal Revenue Service.
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” IRS Commissioner John Koskinen stated in the release.
He cautioned HR professionals to telephone or verify in other ways with executives or other employees before e-mailing such sensitive data.
"Every e-mail requesting sensitive data should be suspect and followed up with a phone-call," added Robert Siciliano, an identity theft expert with
BestIDTheftCompanys.com. "Clicking links and providing sensitive data without follow up makes an HR professional no smarter than someone who falls for a "prince" in a Nigerian [e-mail] scam.
"Neither the IRS nor executives needing access to their employees' W-2 forms will or should request this kind of information via e-mail. Recognizing this simple ruse now ensures employees will be security aware and have an elevated security appreciation," he said.
“If your CEO appears to be e-mailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees,” Koskinen added.
The IRS is conducting a criminal investigation into the hoax. It is reviewing several cases in which people have been tricked into sharing Social Security numbers with cyber thieves, according to the release. In addition to using the information in other ways, the thieves are filing fake tax returns in attempts to obtain refunds from the federal government.
How It Works
The thieves pretend to be company executives by “spoofing” e-mails—making their e-mails seem like legitimate ones coming from company executives. For example, HR professionals or payroll employees will receive a fake e-mail from what may seem to be the CEO’s account asking for a list of employees, as well as their sensitive data that includes their Social Security numbers.
According to the IRS, these are some excerpts from the e-mails:
Cybercrime expert Charles Henson, who is managing partner of Nashville Computer told
SHRM Online that this isn't the only type of social engineering scam targeting HR professionals.
"We are seeing this and a similar scam where they are asking for Social Security numbers, dates of birth, employment dates, and home address for [the purpose of ] running a background check. We have also had clients wire money," too.
More than HR Targeted
“The IRS recently renewed a wider consumer alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents so far this tax season and other reports of scams targeting others in a wider tax community,” the release states.
Additional e-mails are being sent to taxpayers, seeking to trick them into believing they’ve been e-mailed by the Internal Revenue Service when they haven’t been. Some include e-mails from phony tax software companies or others in the tax industry.
In that ruse, the e-mails “seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information,” the IRS states.
The IRS lists these and other steps on its site that HR professionals, payroll executives and other people can take to keep information secure.
Once they've fallen victim to this scam, HR will "need to notify the FBI and their employees immediately. They should also provide credit monitoring for their employees as well as suggest that each employee call the three big credit monitoring services and put a freeze on their credit," Hensen said.
That's not all.
HR professionals should also consider taking protective measures as well by "having a comprehensive cyber liability insurance policy ... to cover you for any liability associated with such a breach," added Harris Tsangaris, a managing director at NFP Property & Casualty Services, Inc., an insurance broker and consultant in New York City. "Hackers are sophisticated and relentless so it’s not an ‘if,’ but ‘when’ situation.”
Aliah D. Wright is an online editor/manager for SHRM.
Related Articles:Employee Training to Reduce Cybersecurity Breaches Underused (SHRM Online, January 2016)Educate Your Employees on Spear-Phishing (SHRM Online, August 2015)Lessons for HR in Light of Data Breaches (SHRM Online, August 2014)
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 3,200 companies