HR Beware: ’Tis the Season for W-2 Scams

Cyberthieves are targeting new HR workers

By Aliah D. Wright Jan 9, 2017
LIKE SAVE PRINT
Reuse Permissions

​The e-mail was clever. It read:

"I'm in the middle of a negotiation so won't be available by cell or e-mail but I need you to send W-2s for the management team to our new accountants. You can e-mail them to [____________]. Needs to be done today. Sorry for the rush on this and please take this as an exception to normal protocol. Thanks. – Alan."

"Alan was the chief financial officer," said William J. Roberts, a Hartford, Conn.-based data privacy attorney with the law firm Shipman & Goodwin LLP. But in this case, it wasn't Alan who was sending the e-mail. Despite the company's policy prohibiting employees from sending sensitive documents through e-mail, a newly hired junior HR professional fell for the phishing scam and sent the W-2s to the cyberthief's e-mail address.

Between January and March of last year, more than 55 businesses had reportedly been tricked into e-mailing criminals sensitive payroll data, according to the security blog Cloudmark. HR professionals—some of whom were fired for exposing private information—were duped when they received spoofed or fake e-mail messages, like the one above, from thieves posing as senior company officials.

Crooks obtain W-2s with Social Security numbers, salary data, birthdates, addresses and other personally identifiable information. They then file fake federal tax returns and claim refunds from the government.

This year, experts are warning HR professionals to be sure to create and follow policies prohibiting the divulging of employee data when handling payroll data.

New tax filing deadlines for employers may help prevent cybercrimes. Previously, employers had until Jan. 31 to distribute copies of Form W-2 to employees and could submit paper W-2s to the Social Security Administration by Feb. 28 and electronic W-2s by March 31.

Not anymore.

The IRS has helped minimize one threat this year by making the filing dates for both the print and electronic versions Jan. 31, said Rick Roddis, president of ComplyRight Tax Solutions and efile4biz.com. ComplyRight is a Pompano Beach, Fla.-based company that provides HR insight and compliance solutions for small businesses. "In past years, the recipient paper forms were due in advance, allowing a window for thieves to obtain information and use that data to commit W-2 fraud," he told SHRM Online.

Awareness and education about e-mail scams, too, can prevent fraud.

"HR professionals need to recognize the form these scams take, including phishing attacks, fraudulent vendor or employee phone calls, and employee theft," Roberts said. He deals frequently with the theft of W-2s, which he said occur "quite regularly this time of year." Notably, sophisticated phishing schemes "appear to be targeting junior and newly hired professionals the most in order to exploit their eagerness to please [and] make a good first impression."

Criminals are also monitoring social media accounts to "know when to attack, such as when a senior HR manager is on vacation."

[SHRM members-only toolkit: Record-Keeping Policy: Safeguarding Social Security Numbers]

How HR Can Protect Jobs and Data

"We should teach workers how to handle data to minimize the potential of its falling into the wrong hands," said Robert Siciliano, an expert on identify theft and CEO of security firm IDTheftSecurity.com in Boston.

Experts offered HR professionals and executives these tips:

  • Train employees on cybersecurity awareness. Many companies do not.
  • Use common sense and avoid making electronic requests for sensitive data. It's not just an e-mail threat; phishing by text is also on the rise, said Roddis.
  • If you receive an e-mail from upper management, verify the request. "Your management will appreciate the extra precautions you take," he added.
  • Don't click on links embedded in e-mails. Hover your mouse over all links and if a link web address looks odd, don't click on it. For example, he said, "if the e-mail supposedly came from a government office, it won't use .com or .net for the URL when you hover over the link." It should show a .gov address instead.
  • Look for spelling errors. The official IRS website is www.irs.gov, and any legitimate IRS webpage address will begin with irs.gov. Don't be fooled by variations such as irs.gove, irs.net or any other similar URL, Roddis said. "This is called typosquatting—where scammers are securing URLs that are similar to the real ones. They are looking for victims who inadvertently make a typing mistake."

Siciliano said that every employee—new and old—should get thorough training, and that each worker's access to sensitive company data should be limited in accordance with his or her role in the organization. "And new employees, before they officially begin work, should complete this training before accessing the company's network."  

While employees should be told that they could be fired for exposing company data, Roberts added, "mistakes happen and only in the most exceptional cases should someone lose their job over something like this. What should put one's job at risk is not the fact they were tricked, but rather that they hid it or did not report it," he said.

Instead of threatening workers, Robert said, HR and company leaders should build "a culture of transparency where people feel comfortable reporting incidents. If you fire everyone who is tricked, you will have few employees left and you will create a culture when people are punished for coming forward.

"Prompt reporting and honesty should be rewarded and should not lead to termination."

 

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.

LIKE SAVE PRINT
Reuse Permissions

SEMINARS

HR Education in a City Near You

Find a Seminar

Job Finder

Find an HR Job Near You

SPONSOR OFFERS

Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect