The IRS recently issued an alert about an emerging scheme that targets payroll and HR professionals in an attempt to obtain employees’ W-2 forms. A number of companies have already been victimized by this scheme. Below we offer some brief guidance about the scheme and tips for what you can do to protect your company’s data. 

What the scheme is: A phishing email where cybercriminals used a spoofed email address that appears to come from the CEO or other executive of a company and asks payroll and HR professionals to send copies of employees’ W-2 tax forms or other employee information, such as social security numbers and income information. The criminals may try to use the information obtained to commit identity theft, including filing fraudulent tax returns for refunds.

What to watch out for: An email that appears to come from your company’s CEO or other executive asking to be sent W-2 forms or other employee information. One example asked the employee to “Kindly send me the individual 2015 W-2 and earnings summary of all W-2 of our company staff for a quick review” and another asked for “the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).” 

What to do now: You should inform anyone working in HR or with access to employees’ payroll or other sensitive information to be on the lookout for these types of emails and to not respond. You should also remind your employees about any policies you have in place regarding sharing sensitive employee information and set up a point of contact for employees to consult if they are in doubt about what they can share.

What to do if you receive one of these emails: Do not respond to the email and add the sender to a blocked sender’s list. You can also forward the email, as is, to reportphishing@antiphishing.org

What to do if you have responded to one of these emails: If someone at your company has already responded to one of these emails, we suggest you contact experienced counsel immediately. You may have obligations to notify the potentially impacted individuals and/or state or federal entities under various state and federal law, you may want to alert law enforcement, and you may need to take action to avoid future phishing cyberattacks.