Mar 222016

IRS Alerts Payroll and HR Professionals to Email Phishing Scheme Soliciting W-2s

Colleen Theresa Brown, Alan Charles Raul and Tasha D. Manoranjan
, ,

On March 1, the IRS issued an alert to payroll and human resources professionals regarding a phishing email scheme that purports to be from company executives and requests personal information on employees.  The IRS said this scheme is part of a “surge” in phishing emails seen this year.

Many companies have fallen victim to this scheme, in which payroll or other human resources officers mistakenly email sensitive payroll data including Forms W-2, which contain Social Security numbers and other personally identifiable information, to cybercriminals posing as company executives.

The IRS provided some of the language used in these phishing emails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

The emails “spoof” actual company executives, in that they appear as legitimate requests for employee information.  Cybercriminals may use personal information to file fraudulent tax returns for refunds.

As a best practice, we recommend that personnel:

  • Confirm any request for sensitive employee information verbally with HR;
  • Always send sensitive information in an encrypted format;
  • Send passwords separately, either verbally or out-of-channel (such as via text message to a separately verified number); and
  • Confirm that the email domain on an email request for employee information is the expected corporate domain.
Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Tasha D. Manoranjan

tmanoranjan@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.