Skip to content

A legal blog about consumer and business data privacy and security in a high tech world

  • Home
  • About This Blog
  • Data Incident Response Team
  • State Data Breach & Privacy Laws
    • Kentucky Data Privacy Laws
    • Tennessee Data Privacy Laws
    • Mississippi Data Breach Laws
    • Indiana Data Privacy Laws
  • HITECH / HIPAA Resources
  • MU/MIPS News
  • More . . .
    • Webinars
  • Disclaimer
HomePosts tagged 'HR and payroll email scams'

HR and payroll email scams

IRS Issues Cyber Alert for HR and Payroll Professionals

March 3, 2016March 30, 2016 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Privacy & Security HR and payroll email scams, Internal Revenue Service Cyber Crime Alert, phishing and malicous emails

tax returnAs the April 15th tax filing deadline draws near, cybercrime related to filing fraudulent tax returns to obtain tax refunds has picked up.  On March 1, 2016, the United States Internal Revenue Service (IRS) issued an Alert for Payroll & HR Professionals on scam emails that attempt to trick company personnel into turning over employee W-2s, Social Security numbers (SSNs) or other personal information that would enable the filing of a fraudulent tax return.  These emails, known as “phishing emails”, purport to be from a company executive, are most often sent directly to an employee in charge of payroll or benefits (some are sent to chief financial officers), and request W-2 or other payroll information on employees.  Per the IRS Alert, the phishing emails include requests such as the following:

  • “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
  • “I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

Many companies have fallen prey to this email phishing scheme!  When employee W-2’s, SSNs, and other financial account information is turned over to an unauthorized third-party, this may trigger the application of state data breach notification laws.  Forty-seven (47) of fifty states have data breach notification laws that will require notification to the affected individual when their W-2 or SSN is supplied to an unauthorized or unknown third-party.  Kentucky, Indiana, Tennessee and Mississippi all have such laws.

Bottom line – Be sure your payroll and benefits staff are aware of this phishing scheme.  In general, advise all employees to be ultra-cautious about responding to any email that asks for documents containing SSNs and tax information or Continue reading →

1 Comment

Follow me on Twitter

My Tweets

Federal Law Resources

  • > FTC Resources to Privacy & Security
  • > FTC Act Section 5: Unfair and Deceptive Practices
  • > FTC: Enforcing Privacy Promises
  • > FTC: Fair Credit Reporting Act (FCRA)
  • > FTC: Red Flags Rule for Identity Theft
  • > FTC: Gramm-Leach-Bliley Act for Financial Institutions
  • > FTC: Children’s Online Privacy Protection Act (COPPA)
  • > FTC 2012 Privacy Report
  • > FDIC: A Guide to Cybersecurity
  • > Federal Reserve: Interagency Guidelines Establishing Information Security Standards
  • > Health: FTC Personal Health Record Breach Notice Rule
  • > Health: FTC Best Practices for Mobile Health App Developers
  • > Health: HIPAA Omnibus Rule 2013
  • > Health: HIPAA Privacy Rule
  • > Health: HIPAA Security Rule
  • > Health: HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework
  • > U.S. Federal Privacy Council, Executive Order (2/9/2016)
  • > EU-U.S. Privacy Shield Framework (Proposed)
  • > Prosecuting Computer Crimes Manual

State Data Privacy Resources

  • > KY Data Breach Laws
  • > IN Data Breach Laws
  • > MS Data Breach Laws
  • > TN Data Breach Laws

Other Resources

  • > Data Security & Privacy Issues for Businesses (Whitepaper)
  • > KY Data Breach Law FAQs
  • > ProPublica: OCR HIPAA Complaint Closure Letters
  • > Wyatt Data Privacy & Security Legal Services

Other Wyatt Blogs

  • > Employment Law Report
  • > Environmental Update
  • > Finding IP Value

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 2,258 other followers

Copyright 2017. HITECH Law Blog. All rights reserved. Fair use with attribution welcomed.

THIS IS AN ADVERTISEMENT. SEE DISCLAIMER.
Blog at WordPress.com.
Cancel