Not a Member? Get access to HR news and resources that you can trust.
Change can be scary, but deploying new HR software doesn't have to be.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
We don’t just visit a city, we take it over. Join the HR community in NOLA -- June 18-21, 2017.
Cyberthieves are targeting new HR workers
The e-mail was clever. It read:
"I'm in the middle of a negotiation so won't be available by cell or e-mail but I need you to send W-2s for the management team to our new accountants. You can e-mail them to [____________]. Needs to be done today. Sorry for the rush on this and please take this as an exception to normal protocol. Thanks. – Alan."
"Alan was the chief financial officer," said William J. Roberts, a Hartford, Conn.-based data privacy attorney with the law firm Shipman & Goodwin LLP. But in this case, it wasn't Alan who was sending the e-mail. Despite the company's policy prohibiting employees from sending sensitive documents through e-mail, a newly hired junior HR professional fell for the phishing scam and sent the W-2s to the cyberthief's e-mail address.
Between January and March of last year, more than 55 businesses had reportedly been tricked into e-mailing criminals sensitive payroll data, according to the security blog Cloudmark. HR professionals—some of whom were fired for exposing private information—were duped when they received spoofed or fake e-mail messages, like the one above, from thieves posing as senior company officials.
Crooks obtain W-2s with Social Security numbers, salary data, birthdates, addresses and other personally identifiable information. They then file fake federal tax returns and claim refunds from the government.
This year, experts are warning HR professionals to be sure to create and follow policies prohibiting the divulging of employee data when handling payroll data.
New tax filing deadlines for employers may help prevent cybercrimes. Previously, employers had until Jan. 31 to distribute copies of Form W-2 to employees and could submit paper W-2s to the Social Security Administration by Feb. 28 and electronic W-2s by March 31.
The IRS has helped minimize one threat this year by making the filing dates for both the print and electronic versions Jan. 31, said Rick Roddis, president of ComplyRight Tax Solutions and efile4biz.com. ComplyRight is a Pompano Beach, Fla.-based company that provides HR insight and compliance solutions for small businesses. "In past years, the recipient paper forms were due in advance, allowing a window for thieves to obtain information and use that data to commit W-2 fraud," he told SHRM Online.
Awareness and education about e-mail scams, too, can prevent fraud.
"HR professionals need to recognize the form these scams take, including phishing attacks, fraudulent vendor or employee phone calls, and employee theft," Roberts said. He deals frequently with the theft of W-2s, which he said occur "quite regularly this time of year." Notably, sophisticated phishing schemes "appear to be targeting junior and newly hired professionals the most in order to exploit their eagerness to please [and] make a good first impression."
Criminals are also monitoring social media accounts to "know when to attack, such as when a senior HR manager is on vacation."
[SHRM members-only toolkit: Record-Keeping Policy: Safeguarding Social Security Numbers]
How HR Can Protect Jobs and Data
"We should teach workers how to handle data to minimize the potential of its falling into the wrong hands," said Robert Siciliano, an expert on identify theft and CEO of security firm IDTheftSecurity.com in Boston.
Experts offered HR professionals and executives these tips:
Siciliano said that every employee—new and old—should get thorough training, and that each worker's access to sensitive company data should be limited in accordance with his or her role in the organization. "And new employees, before they officially begin work, should complete this training before accessing the company's network."
While employees should be told that they could be fired for exposing company data, Roberts added, "mistakes happen and only in the most exceptional cases should someone lose their job over something like this. What should put one's job at risk is not the fact they were tricked, but rather that they hid it or did not report it," he said.
Instead of threatening workers, Robert said, HR and company leaders should build "a culture of transparency where people feel comfortable reporting incidents. If you fire everyone who is tricked, you will have few employees left and you will create a culture when people are punished for coming forward.
"Prompt reporting and honesty should be rewarded and should not lead to termination."
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
CA Resources at Your Fingertips
SHRM’s HR Vendor Directory contains over 3,200 companies