On March 1, the IRS posted an alert to all HR and Payroll Professionals of an email phishing scheme where an email is sent by cyber-criminals impersonating a company executive and requesting employee W-2 forms https://www.irs.gov/uac/Newsroom/IRS-Alerts-Payroll-and-HR-Professionals-to-Phishing-Scheme-Involving-W2s. Since it is not uncommon to have a request for W-2’s during tax season, many companies have fallen victims to this scheme and have mistakenly emailed payroll data, including W-2 forms.
It is important you remain diligent and carefully examine any email requesting this type of information. Some samples of the emails sent include:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, salary).
- I want you to send me a list of W-2 employees wage and tax statements for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
Before providing W-2 or payroll data in response to an email, verify that a company employee authorized to view the information has requested it. This should not be done by sending a reply email because the address may be appearing similar to the valid email address. Instead, send a separate email, or verify the request by talking to the person on the phone or in person. If you notice anything unusual in an email, notify your IT department immediately so they can identify the source of the email and warn others in the company not to respond to similar emails.
If you discover a breach has occurred, our firm’s Privacy & Data Security team can help you formulate a plan to respond to the breach, including providing notice to all affected employees. Also, remember it is important to review your policies and procedures to make sure they include measure to reduce the risk that your company will be subject to the ever expanding number of cyber-crimes. One measure to consider is requiring dual verification for any transfer of personally identifiable information. Cybersecurity training is also a crucial comment of reducing the risk of a cyber-attack.