Please fill in the form below to subscribe to our blog

Phishing Scam Targets Human Resources Professionals

May 08, 2017

The IRS recently issued an alert, warning Human Resources or Payroll professionals to be on the lookout for an email scheme designed to steal employee data from W-2 forms. The scam has already claimed some high profile victims, such as Snapchat, and is especially threatening as employees are in the midst of tax season.

What is Email Phishing?

The IRS recently reported that it has seen a 400 percent increase in phishing and malware incidents – so how do they work and why are so many getting duped? With email phishing in particular, cyber criminals send messages directing an individual to a website where they are required to input their personal information such as an online account login, credit card information, Social Security numbers or bank account information.

This information is then typically used in identity theft incidents that could result in financial losses, negative credit scores and reputation damage. Scammers typically pose as a familiar party or website and send messages en masse, which unfortunately leads to a percentage of victims that fall for the scheme.

The Scheme

The new scheme the IRS warns of specifically targets payroll and human resource employees. In the fraudulent email message, which is made to appear like it is being sent from a corporate executive, a request is made to submit personal information on employees. The information requested includes W-2 information – Social Security Numbers, dates of birth, addresses and salaries.

Scammers have likely had greater success as these employees have quick access to W-2 information, especially during tax season and would likely not question the legitimacy of an email being sent from a supervisor.

What to Look For to Prevent Being Phished

There a few things to keep an eye out for if you feel you may be targeted in a phishing scam:

  1. Urgent request – Most scam emails indicate that the request being made needs to be completed ASAP. This way, employees are less inclined to research the legitimacy of the request.
  2. Suspicious links – If the email requesting personal information includes a link to an external website, simply clicking the link can automatically trigger a malware download.
  3. Incorrect Email Address Domains – In most email hosting platforms, you can preview the sender email address as well as the sender name. In most phishing cases, the sender address does not match the sender name, which is a red flag that should be easily recognized.

If you think you may have fallen victim to a phishing scheme, it is pertinent to obtain personal identity monitoring so that you are made immediately aware if your personal information is being used for identity theft. ID Agent’s personal identity monitoring service provides comprehensive monitoring to put your mind at ease with email phishing scams on the rise.