Human Resources and payroll professionals are being targeted by sophisticated cyber criminals to steal employee data. The email phishing scam works like this: the bad guy sends an email to employees in the human resources or payroll department spoofing an email from a company executive, usually the CEO or CFO. Email spoofing is the forgery of an email header so the message appears to have originated from the c-suite but actually belongs to a cybercriminal. The email may seek confidential information about the company’s employees, such as their Social Security Numbers and W-2 forms, or may ask that funds be immediately sent, via wire transfer, to a bank account number (commonly associated with a bank overseas). Recipients of spoofed emails are deceived into disclosing the protected data that is then used to submit employees’ tax returns to the Internal Revenue Service or for other illegal activity such as transferring company funds to accounts from which they cannot be retrieved.

On March 1, the IRS issued an alert in response to what it calls a “surge” in email phishing in 2016. The alert makes clear that the IRS is aware of several companies that have been breached using email spoofing and phishing scams.

The victims of this scam, in most cases, are individual employees and the cybercriminals use sophisticated social engineering to perpetrate their crimes. Social engineering is a type of cyber-con that leverages intelligence from an individual’s social network and interactions with other users to manipulate the user into disclosing confidential data. While many of these attacks are associated with relatively simple identity theft and tax fraud rings, others may be associated with efforts to undermine national security when directed toward companies who maintain data or files related to U.S. critical infrastructure like airports, military bases, utilities or waterways.

While companies are increasingly investing in information security technologies, even the most sophisticated technology can be defeated by a phishing attack, in which an employee is fooled into transferring files, money or a password granting access to company systems. It takes a village to protect a village: information security is every employee’s responsibility, and every employee must be educated to spot and avoid these types of tricks. The key to mitigating a phishing breach is to educate employees and to create a culture, from the top down, to safeguard data and to be aware of cyber vulnerabilities. By educating employees, creating policies and enforcing protocols, companies can significantly reduce their cyber risk profiles.