From would-be Nigerian princes to foreign lottery officials, cybercriminals have been known to assume all sorts of false identities to carry out email phishing scams that trick unsuspecting consumers into clicking on fraudulent links or divulging personal information to strangers. We often see a spike in this type of activity around tax season, when fraudsters target taxpayers in an attempt to make off with their refunds. This year, however, the annual spike is looking more like an epidemic as a variant affecting human resources departments has begun to spread with a vengeance.
On March 1, 2016, the IRS issued an alert warning “payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.” Less than a week later, on March 7, the Attorney General of North Carolina sounded a similar alarm concerning the rise in phishing-related breaches, reporting that “[i]n 2016, 26 phishing breaches have been reported by businesses and other organizations with 16 of those reports coming within the past two weeks, compared to eight phishing breaches reported in all of 2015.”
The scheme typically begins with a “spoofing” email that appears to have been sent by a company’s CEO or another high-ranking executive to one or more employees in the human resources or payroll departments. In many cases, the sender’s email address is a match, and the tone or style of the message is convincingly similar to that of the individual who is supposed to have sent it. The email contains a request that the recipient respond by sending the “CEO” certain employee personal information, usually including Social Security numbers. The email may ask specifically for W-2 forms, or may instead ask for a compilation of employee data similar to what appears on tax documents of that nature. The employee, accepting the request as legitimate, forwards the requested information to the perpetrator.
Companies of all sizes and across all industries have reported having received phishing emails that fit this pattern. In late February, Snapchat announced publicly that it had fallen victim to such a spoof. A Snapchat payroll department employee received an email from “Snapchat CEO Evan Spiegel.” The cybercriminal imposter requested payroll information on both current and former Snapchat employees. The employee complied with the request, and the company’s payroll information was obtained by the imposter. The incident was reported to the FBI within hours.
To help avoid a similar fate, organizations should warn their human resources and payroll departments about this increasingly prevalent phishing scheme. Employees should be reminded of privacy and security policies concerning the disclosure of personal information, and advised that email requests for any type of sensitive data should be confirmed as authentic through direct contact with the apparent sender.
Unfortunately, the W-2 request variant isn’t the only phishing email scam putting taxpayers at risk this season, and old-fashioned IRS-impersonation phone hoaxes also remain an issue. You can review a compilation of IRS alerts regarding these threats as well as further information on how to avoid tax fraud generally on the IRS’s website.