March 8, 2021

Volume XI, Number 67


March 05, 2021

Subscribe to Latest Legal News and Analysis

Beware of Email Requests from the C-Suite to Transfer Employee Data

ALERT: Human Resources and payroll professionals are being targeted by sophisticated cyber criminals to steal employee data.  The email phishing scam works like this: the bad guy sends an email to employees in the human resources or payroll department spoofing an email from a company executive, usually the CEO or CFO.  Email spoofing is the forgery of an email header so the message appears to have originated from the c-suite but actually belongs to a cybercriminal. The email may seek confidential information about the company’s employees, such as their Social Security Numbers and W-2 forms, or may ask that funds be immediately sent, via wire transfer, to a bank account number (commonly associated with a bank overseas).  Recipients of spoofed emails are deceived into disclosing the protected data that is then used to submit employees’ tax returns to the Internal Revenue Service or for other illegal activity such as transferring company funds to accounts from which they cannot be retrieved.

On March 1, the IRS issued an alert in response to what it calls a “surge” in email phishing in 2016.  The alert makes clear that the IRS is aware of several companies that have been breached using email spoofing and phishing scams.

The victims of this scam, in most cases, are individual employees and the cybercriminals use sophisticated social engineering to perpetrate their crimes.  Social engineering is a type of cyber-con that leverages intelligence from an individual’s social network and interactions with other users to manipulate the user into disclosing confidential data.  While many of these attacks are associated with relatively simple identity theft and tax fraud rings, others may be associated with efforts to undermine national security when directed toward companies who maintain data or files related to U.S. critical infrastructure like airports, military bases, utilities or waterways.

While companies are increasingly investing in information security technologies, even the most sophisticated technology can be defeated by a phishing attack, in which an employee is fooled into transferring files, money or a password granting access to company systems.  It takes a village to protect a village:  information security is every employee’s responsibility, and every employee must be educated to spot and avoid these types of tricks.  The key to mitigating a phishing breach is to educate employees and to create a culture, from the top down, to safeguard data and to be aware of cyber vulnerabilities.  By educating employees, creating policies and enforcing protocols, companies can significantly reduce their cyber risk profiles.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume VI, Number 81



About this Author

Justine M. Phillips Labor & Employment Attorney Shepard Mullin Law Firm San Diego
Special Counsel

Justine Phillips is a special counsel in both Data Privacy & Security and Labor and Employment Practice Groups in the firm's San Diego (Del Mar) office.

Areas of Practice

Justine focuses her practice on cybersecurity, data privacy, employment litigation and counseling, and commercial litigation. Justine takes a holistic approach to assist clients on everyday issues related to electronically stored information including: cyber risk management and mitigation; eWorkforce policies; compliance with data regulations; retention/destruction...


Laura Jehl is a partner in the Business Trial Practice Group in the firm’s Washington, D.C. office. Ms. Jehl is a privacy and cybersecurity expert and serves as Co-Leader of the Privacy and Data Security Practice.

Ms. Jehl has more than two decades of in-house and private practice experience, and has represented clients on a wide range of business and legal matters, including privacy, data security, breach response, litigation and government investigations, crisis management, Internet, digital media, technology and First Amendment matters. Most...