Dive Brief:
- The Internal Revenue Service (IRS) has issued an alert to payroll and HR professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.
- According to the IRS announcement, it learned this scheme — part of the surge in phishing emails seen this year — already has claimed several victims as payroll and HR offices mistakenly emailed payroll data, including W-2 forms, that contain Social Security numbers and other personally identifiable information to cyber criminals posing as senior management.
- The IRS is conducting a criminal investigation into the hoax, reviewing several cases in which people have been tricked into sharing sensitive data with cyber thieves, according to the release. In addition to using the information in other ways, the crooks are filing fake tax returns in attempts to obtain refunds from the federal government.
Dive Insight:
IRS Commissioner John Koskinen called the cyber crime effort a "new twist on an old scheme," using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. He added that if an HR or payroll leader receives and email from the CEO, for example, asking for a list of company employees and/orW-2s, investigate before responding.
Robert Siciliano, an identity theft expert, said that if an email comes in asking for sensitive personal data, the next step is a phone call to the sender. "Clicking links and providing sensitive data without follow up makes an HR professional no smarter than someone who falls for a 'prince' in a Nigerian (e-mail)scam," Siciliano told SHRM.
