Tax time is here and human resources personnel across the country are busy meeting critical federal and state filing deadlines for payroll information and W2s. This time of year is also a prime time for thieves hoping to get copies of W2s and other personal information to run tax refund scams and other identity theft crimes.
The Latest Scam
The most recent scam targets employees working in human resource departments. Well-written phishing emails designed to look like they come from a high-level company executive are being sent out asking for sensitive information. There are several versions of the email, but they all generally ask for W2s or other payroll information. The requests are always urgent, and often include an excuse as to why the executive is asking for something outside of the normal protocols.
In at least one version, the email states that the executive will not be available by email or phone and asks the employee to mail them to a third party. Other versions of the scam have employees click on a link in the email to upload the document to a supposedly secure server. In reality the information is being given over to thieves.
Many companies have already fallen victim to this scam. In addition to putting employees at risk for identity theft, delayed tax refunds, and months or years of financial problems, these scams can cost companies thousands, or even millions of dollars in fines and lawsuits.
How to Prevent Releasing Sensitive Employee Information to Thieves
There are several steps that companies can take to protect themselves from scams like this in the future. The first step is to make sure that all employees with access to these records are aware of this scam. Beyond being aware of the scam, companies should consider implementing specific policy measures to protect sensitive employee data including:
- Limiting access to W2s and other payroll information to a need to know basis
- Requiring two people to approve the sending of W2s to any third party
- Training employees to spot phishing emails
- Clearly communicating the chain of command and who can authorize any activity with W2s or payroll information
- Make sure employees understand the need to verify requests for sensitive information
- Create an environment of openness where employees feel comfortable reporting suspicious emails, texts, or other communications
The more information is stored digitally, the more hacks and scams will target businesses hoping to find a weak link. To inform employees and combat these scams, a company needs to have a clear set of written policies in place that all employees are trained on.
What Happens If There is a Breach?
Companies also need to have a written protocol for dealing with security breaches. The most common mistakes companies make in this area are not proactively training employees about the dangers of these phishing scams and not reporting security breaches immediately.
While companies are understandably reluctant to admit that they have released W2s to thieves, word of the breach will eventually get out. By not acknowledging the issue early on, you can put your employees at greater risk and can increase the fines and damages the company may have to eventually pay out.
The three key actions to take in the event that sensitive employee data is compromised are:
- Notify law enforcement
- Notify the IRS
- Notify affected employees
Make sure your company is on the lookout for possible W2 scams and that they also have a plan in place to deal with any mistakes.
Diversified Human Resources (DHR) is the leading full-service HR solutions provider based in Arizona, with offices in Denver. Since 1996, DHR has served thousands of Arizona and regional companies with payroll, benefits, HR administration, retirement, and workers compensation solution. Contact us today and learn how easy it is to tailor a plan to upgrade your HR function and improve your bottom line.