November 11, 2019

November 11, 2019

Subscribe to Latest Legal News and Analysis

Phishing Scam Targets Human Resources and Payroll Departments

Human Resources and Payroll should advise employees in their departments to be on the lookout for the latest tax season phishing scam designed to steal employees’ tax related information and social security numbers. Given the regular frequency of these types of attacks, employers should be taking appropriate steps to safeguard employee Personally Identifiable Information (“PII”).  At a minimum, Human Resources should have in place written policies regarding the handling of employee PII and provide training designed to protect employee PII against a data breach.  Because Human Resources works with employee PII on an everyday basis, it may be the best equipped to secure sensitive personnel information against the type of fraudulent scheme highlighted in the recent IRS alert.

On February 2, 2017, the IRS issued an urgent alert to employers regarding a phishing scheme intended to steal employees’ tax related information to commit identify theft and tax fraud. The IRS reports that the scam involves spoofing an email to make it appear as if it is coming from an organization’s executive.  The email is sent to an employee in the Human Resources or Payroll departments, requesting a list of employees and their Forms W-2.  The IRS reports that the phony email may also request the names and social security numbers of employees with their addresses and dates of birth.  Since the email is disguised to be from an internal email address, should the HR or Payroll employee respond with the information it will actually be sent out of the organization to a cybercriminal.  The phishing scam is presently targeting healthcare organizations, shipping companies, school districts, restaurants, and temporary staffing agencies.

What preventative steps can be taken to guard against these attacks? Human Resources should ensure that policies and procedures are in place requiring that the sending of employees’ confidential tax related information by email only be done with 100% confidence that the intended recipient is within the organization and has requested the information. Indeed, the IRS advises that employers consider adopting written policies that govern the electronic distribution of confidential employee Form W-2s and tax related information.  One simple protective measure may be that a phone call confirmation is required before hitting the send button.  As a general matter, employers should have in place comprehensive written policies and procedures that govern the electronic sending, receiving and storage of confidential personnel related PII and provide workforce training to protect against data breaches and fraudulent schemes.  In addition to procedures verifying that the recipient of sensitive PII is actually within the organization, employers may also want to consider technologies providing for use of encryption when sending personnel related PII by email.  The maxim that “an ounce of prevention is worth a pound of cure” is in full effect here since a well thought out strategy is the best defense.

 

©2019 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Brian G. Cesaratto, Epstein Becker, Employment benefits Litigation Lawyer, Workforce Management attorney
Member

BRIAN G. CESARATTO is a Member of the Firm in the Litigation and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Cesaratto's practice includes complex commercial litigation, criminal defense, internal and law enforcement investigations, employment litigation, and computer and electronic data misappropriation and forensics.

212-351-4921
Adam S. Forman, Epstein Becker Green, Workforce Management Lawyer, Chicago, Detroit, Social Media Issues Attorney
Member

ADAM S. FORMAN is a Member of the Firm in the Employment, Labor, and Workforce Management practice, based in Chicago and Detroit (Metro). As noted in the 2015 edition of Chambers USA, Mr. Forman “is a renowned expert in social media issues relating to the workplace” and also “focuses on litigation, training and preventive advice on the employment side.” A frequent writer and national lecturer on issues related to technology in the workplace, such as social media, Internet, and privacy issues facing employers, Mr. Forman is often interviewed by newspapers, radio, and legal blogs on those topics.

312-499-1468