Cyber Liability–HR & Payroll Departments Targeted in W2 Scam

February 7, 2017

Human Resource and payroll departments should be aware of an IRS alert that was released on January 25, 2017 providing information about an email phishing scam making its way across the country.  The scam originated last year, and the goal of the scam is to gain access to personal information contained on employee W-2 forms.  Cybercriminals will send an email to an HR or payroll department using a corporate officer’s name (such as the company CEO), and request a list of employees, their social security numbers, and W-2 information be sent to them.  

Below is verbatim verbiage that may be contained in the phishing emails:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

Once the personal information has been obtained, the data is used to file fraudulent tax returns in order to claim the tax refunds.  The IRS urges HR and payroll departments to double check any executive level or unusual requests for release of W-2 forms and social security numbers.

In April 2016, Kalamazoo College was targeted and the personal information of about 1,600 students, staff and faculty of the college was mistakenly released when their W2 forms were sent to a phony entity.   According to President Eileen Wilson-Oyelaran, a college employee received an email requesting employees’ 2015 W2 forms.  “The email was designed to appear as though a Kalamazoo College administrator sent it.”  “Believing the email to be legitimate, the employee replied to the message and attached faculty, staff and student employees’ 2015 W2s.”

In a Cloudmark Security blog by Tom Landesman, the first step of the phishing scheme begins with a bit of research about a company. Scraping popular forms of public data, such as LinkedIn and Twitter, often yields the names and titles of many employees in a company.  “Then, a quick search for the company’s website will often provide the name of the domain used in their email.” “With these items in hand, attackers now have their target’s email address as well as the email of a higher ranking member of the company — often a CEO or CFO.”  In the first quarter of 2016, at least 55 companies had fallen victim to these phishing schemes.

Organizations should prepare for these cyber threats by developing awareness programs and instructing employees to question requests for sensitive data no matter the source.  Anti-virus or other technology will not be enough to prevent every type of phishing attack.  Key employees of the company should be immediately alerted if something seems suspicious.  Other techniques to safeguard information include developing policies that require verification from a second person when it comes to releasing personal information.  Michael Overly, partner at Foley & Lardner, has developed a checklist for employers to follow when considering cybersecurity policies. 

While HR has historically not been responsible for IT issues, when people become the problem with technology, HR needs to take a proactive approach to partner with their technology teams to help educate employees and develop policies and procedures in order to safeguard both company and employee personal information.

Do You Have Sufficient Protection?

Ready to protect your professional career with the best malpractice insurance on the market? Contact us today and let our experienced team guide you towards peace of mind. Your success is our priority.