The Internal Revenue Service recently issued an alert to payroll and human resources professionals to be aware of an emerging phishing e-mail scheme that purports to be from company executives and requests personal information about employees1. Vedder Price would like to reiterate this alert, as it is personally aware of multiple companies having fallen victim to this scheme in the past few days.
The phishing e-mails typically appear to be from the company CEO or other executive, and are generally directed to a company employee in the payroll, human resources or accounting departments. The "CEO" sends an e-mail to the company employee and requests certain tax documents or other personally identifiable information ("PII") pertaining to the company employees, including W-2s, SSNs, dates of birth, addresses and salaries.
The following are examples of the requests contained in the phishing e-mails:
- I need you to email me scanned copy of all our Employees W-2 wage and tax statement for 2015 for immediate reviewing. I will brief you more about this later. Keep in touch as soon as you can.
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
The scheme has already resulted in numerous instances of people being tricked into sharing the tax documents and PII of company employees with cybercriminals. The criminals perpetrating the scheme seek to monetize the data, including by filing fraudulent tax returns for refunds.
Vedder Price recommends that companies alert their employees to be on the lookout for these types of phishing e-mails. In the event that a company employee receives such an e-mail, that employee should not respond and instead should immediately notify the accounting department. The accounting department should then call the purported sender of the email to determine whether the e-mail was in fact sent by that person.