As the April 15th tax filing deadline draws near, cybercrime related to filing fraudulent tax returns to obtain tax refunds has picked up. On March 1, 2016, the United States Internal Revenue Service (IRS) issued an Alert for Payroll & HR Professionals on scam emails that attempt to trick company personnel into turning over employee W-2s, Social Security numbers (SSNs) or other personal information that would enable the filing of a fraudulent tax return. These emails, known as “phishing emails”, purport to be from a company executive, are most often sent directly to an employee in charge of payroll or benefits (some are sent to chief financial officers), and request W-2 or other payroll information on employees. Per the IRS Alert, the phishing emails include requests such as the following:
- “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
- “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
- “I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
Many companies have fallen prey to this email phishing scheme! When employee W-2’s, SSNs, and other financial account information is turned over to an unauthorized third-party, this may trigger the application of state data breach notification laws. Forty-seven (47) of fifty states have data breach notification laws that will require notification to the affected individual when their W-2 or SSN is supplied to an unauthorized or unknown third-party. Kentucky, Indiana, Tennessee and Mississippi all have such laws.
Bottom line – Be sure your payroll and benefits staff are aware of this phishing scheme. In general, advise all employees to be ultra-cautious about responding to any email that asks for documents containing SSNs and tax information or asks for usernames and passwords for any website. Advise employees to pick up the phone, call the purported sender, and ask if they actually sent the email request. If the employee cannot reach the purported sender to confirm that it is legitimate, the employee should call the company’s IT help desk before responding to the email or clicking on a link in the email.
To read the full IRS Alert and additional IRS tips on protecting oneself from fraud during tax season, click here.