During the past few weeks, many companies have been targeted by an email phishing scheme that has resulted in the disclosure of employees' confidential personal information. In this latest scheme, cybercriminals pose as company executives in an email targeted at members of the company's human resources (HR), accounting or payroll departments. In the email, the alleged executive requests employees' personal information, particularly W-2 or payroll information. The fraud perpetrator then uses that personal information to file fraudulent tax returns, and receive improper tax refunds, in the name of the employee.

To prevent falling victim to this scheme, you should quickly alert your employees and staff members, especially those in HR, accounting and payroll, to closely scrutinize any request for personal information. At a minimum, we recommend that you inform employees and staff members to do the following if a suspicious email is received:

  1. call the sender of the email requesting the information and verify that he or she indeed made the request (e.g., if the email appears to come from "Jane Doe, CEO," call Jane Doe to verify before sending any requested information); and
  2. rather than replying to the original email, only send the requested information by composing a new email message to a known email address for the sender (e.g., compose an email to Jane Doe, using her known email address from the company directory).

Disclosing sensitive and valuable information can cause significant costs and expenses triggered by federal and state data privacy and security laws, including the costs of complying with data breach notification requirements. To read more about this latest scheme, read the alert issued by the IRS or the client alert distributed yesterday by Bass, Berry & Sims.