The IRS recently warned payroll and human resources professionals of a new email phishing scam, whereby cybercriminals, posing as company executives, request employees' payroll data and other personally identifiable information. This warning is an extension of the threat posed to software companies, tax professionals, and state revenue departments who have also seen a variation of the schemes this tax season. The IRS is working on the issue through its Security Summit, particularly as the threat against individual and entity taxpayers has spiked this year. According to the IRS website, there were 1,026 incidents reported in January, up from 254 from a year earlier. Companies and their HR professionals should be cognizant of the threat posed to confidential employee information.
In the alert issued to professionals who have access to employee payroll data, the IRS described the new scheme is a "new twist on an old scheme, using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments," said IRS Commissioner John Koskinen.
To gain access to sensitive employee information, cybercriminals send a spoof email containing, for example, the actual name of a company's chief executive officer. The email will request of the human resources professional, a list of employees, Social Security numbers, and/or copies of W-2's. Because the email is designed to trick the employee with use of the CEO's name as the sender, unknowing HR professionals share this confidential information with the scammer. This places individuals and the company at risk for both releases of confidential information and the danger of malware on company computer systems. The IRS renewed a consumer alert in February 2016 after seeing a 400 percent surge in phishing and malware incidents in the 2016 tax season.
The phishing incidents also extend to the wider tax community, with cybercriminals sending emails designed to trick taxpayers into thinking certain emails are official communications from the IRS or other professionals in the tax industry. Examples of emails contained requests for filing information, confirmation of personal information, verification of personal identification numbers (PINs), and refund information. Some consumers reported receiving these requests via text message, in addition to email. Tax professionals should beware of the also reported phishing scams that seek company credentials to IRS services.
Tax professionals, company HR and payroll departments, and software companies should keep in mind that the IRS rarely initiates contact with taxpayers by email to request personal or financial information. Remaining aware of this and the recent alerts issued by the IRS should help guard against the risk of exposure. Companies should also encourage employees to protect personal, financial and tax data; see IRS.gov/taxessecuritytogether for additional steps to protect individual and company privacy.
Businesses looking to further educate employees, clients and tax preparers can share Publication 4524 (Security Awareness for Taxpayers) or create their own messaging to combat identity theft. Businesses that retain sensitive financial data should also review and update their security plan.Publication 4557 (Safeguarding Taxpayer Data) provides helpful recommendations and is a great place to start.