This week’s tip is for businesses, and in particular, the human resources, benefits and finance departments of all businesses. It doesn’t matter what industry you are in or where you or located. It doesn’t matter if you have 2 employees or 2,000. Just know that you can become the victim of a sophisticated cyber-attack.
It has become such a problem that the Internal Revenue Service issued an Alert on March 1, 2016, to payroll and HR professionals about a phishing scheme that has affected numerous companies.
The way it works is that a phishing email is sent to employees working in the HR and/or payroll department which looks like it is from the company’s CEO. The email is rigged to look like the real one, and is hard to detect that any response to the “real” email is re-routed to a hacker’s email. The CEO or another company executive asks the HR or payroll employee to send him or her personally identifiable information about employees of the company, including W-2s.
The email is called a “spoofing” email and contains the actual name of the executive and asks the employee things like “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review” or “Can you send me the updated list of employees with full details (Name, Social Security number, Date of Birth, Home Address, Salary.)”
According to the IRS, “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
So perk up HR and payroll folks, and get those antennae up to protect your data and your co-workers’ data. Be suspect anytime anyone asks for the Social Security number of any employee, even if it is an executive. Pick up the phone before following the instructions. Your executives will thank you for your vigilance.