FBI Warns of Another Phishing Scam Against Employees

The FBI is now warning employers of a possible phishing scam taking place.  This one targets the employees themselves. It focuses on companies that use self-service platforms where employees can view their pay, get duplicates of W-2s and update direct deposit information.  The fraudsters are impersonating the employer’s human resources department and asking employees to update or confirm their personal information via a fake website.  The employee receives a fake email that asks the employee to click on the link provided to log into his self-service account.  The email asks the employee to logon to view a private email from HR, to view changes that have been made to their account, or to confirm that the account is still active.

By clicking on the link and entering their self-service credentials, the employee is actually giving their logon information to the fraudster. The fraudster than can go into the self-service account himself and access all of the information including W-2 and pay stub info.  He can also change the direct deposit information. In order to prevent the victim from from knowing what is going on, the fraudster will also change the email address that the self-service platform uses to send alerts when changes are made.

Payroll and human resources professionals need to be on the lookout for this type of email.  With the new tax bill causing new tax withholding decisions, many employees are making good use of these types of self-service portals.  This will be especially true when the new Form W-4 is issued by the IRS.  Employees will want to make sure they have the proper withholding under the new tax tables.  And it would not be “unusual” for payroll or HR to send out emails during this time-frame.

It is also imperative to practice what the FBI calls “good email hygiene”.  Train your employees to watch for phishing attacks and to also check the actual email address rather than just looking at the display name.  Both these items can be crucial to seeing the attack early, before the damage is done.

The Bad Guys Are Phishing Again!

It appears the bad guys are after our payroll information again.  The IRS, and state tax agencies in Michigan, Colorado, Maryland and Rhode Island are urging all payroll personnel to be wary and to educate themselves about a Form W-2 phishing scam that made victims of hundreds of organizations and thousands of employees in 2017.  I blogged about this last year but it bears repeating with the new W-2 submission deadline looming. Here’s how the scam works: cyber criminals do their homework, identifying chief operating officers, school executives or others in positions of authority. Using a technique known as business email compromise (BEC) or business email spoofing (BES), fraudsters posing as executives send emails to payroll personnel requesting copies of Forms W-2 for all employees. The bad guys are using the information to file fraudulent tax returns, or they are posted for sale on the Dark Net.

The initial email may be a friendly, “hi, are you working today” exchange before the fraudster asked for all W-2 information. In several reported cases, after the fraudsters acquired the workforce information, they immediately follow up that request with a wire transfer. The IRS is hoping that by alerting employers and payroll professionals now it can limit the success of this scam in 2018. They have also created a new process by which employers should report the scams. There are steps the IRS can take to protect employees, but only if the agency is notified immediately by the employers about the theft.

The IRS is also suggesting that employers consider creating a policy to limit the number of employees who have the authority to handle Form W-2 requests and that they require additional verification procedures to validate the actual request before emailing sensitive data such as an employee’s Form W-2.

The IRS has established a special email notification address specifically for employers to report Form W-2 data thefts. Here’s how the Form W-2 scam victims can notify the IRS:

  • Email dataloss@irs.gov to notify the IRS of a Form W-2 data loss and provide contact information as listed below
  • In the subject line, type “W-2 Data Loss” so that the email can be routed properly. Do not attach any employee personal identifiable information data.
  • Include the following:
    • business name
    • business employer identification number (EIN) that is associated with the data loss
    • contact name
    • contact phone number
    • summary of how the data loss occurred
    • volume of employees impacted by the data loss

Businesses and payroll professionals that only receive a suspect email but do not fall victim to the scam should send the full email headers to phishing@irs.gov and use “W-2 Scam” in the subject line. But payroll professionals as well as finance departments should be alert to any unusual request for employee data. Cyber criminals and their scams are constantly evolving.

Jane Fonda is Not Wrong on Tip Regulations

As some of you may have seen on Facebook, a new video with Jane Fonda has been making the rounds. It concerns the latest Department of Labor proposed rules concerning employer treatment of tips.  Leaving the politics of Jane Fonda aside this is an important issue that needs to be understood.  A great source to understand this issue is the latest post from Wage & Hour Insights written by Bill Pokomy on December 8th.  I highly recommend you review his analysis of the proposed rule.

W-2 Verification Code Program is Expanding in 2017

I attended the October 5th payroll industry telephone conference call.  On the call Scott Mezistrano, with the IRS Industry Stakeholder Engagement and Strategy, provided the listeners with updated information on the W-2 Verification Code Pilot Program for the 2018 filing season (2017 Forms W-2).

Where the code appears

First just a quick review of the program itself.  It was implemented during the 2016 filing season. Its purpose is to combat tax-related identity theft and tax refund fraud.  It requires a 16-character code be input into box 9 so that the tax filer can be verified when filing taxes electronically.  It only appears on the Form W-2 copies B (filed with the employee’s federal tax return) and C (the employee’s copy).   If the Verification Code (VC) is deemed valid, then the IRS treats the W-2 data submitted with the Form 1040 to be valid, thereby reducing false fraudulently filed tax returns.

For the 2016 Forms W-2 only ADP, Ceridian, Intuit, Paychex, Payroll People, Prime Pay and Ultimate Software participated in the test pilot program. If the taxpayer had a VC it was entered 34% of the time. However, when it was entered, it was validated 97% of the time.

For the 2017 Forms W-2 there will be 10-12 service bureaus or payroll software companies participating in the program. This includes the same companies as in 2016 along with the National Finance Center and a few more payroll service providers.  This should result in approximately 66 million Forms W-2 containing the code.  That results to about 1 in 4 forms that will be filed.

 

Not All IRS Guidance is as Good as Gold

Nina Olson is with the Taxpayer Advocate Service (TAS).  This is an independent organization within the IRS that assists taxpayers who are experiencing “troubles” with the IRS in getting issued resolve through the “normal channels”. During recent congressional hearing she was asked what seemed like simple questions concerning the types of IRS guidance taxpayers can rely on.  But the answer was not simple.  She has written a blog; IRS Frequently Asked Questions Can be a Trap for the Unwary on July 26, 2017, that contains excellent information for those of us who need to research tax questions and rely on tax guidance from the IRS.  I recommend reading it to ensure you know what you can and cannot rely on when researching the IRS website for tax guidance.

Using Fluctuating Workweek? Might Want to Think Again

If you are currently using the fluctuating workweek that is permitted under the Fair Labor Standard Acts (FLSA) you may want to review that decision.  The Fifth Circuit Court of Appeals has drawn some limits on that method.  Bill Pokorny has done a fantastic blog on discussing this recent court case. Check it out for the latest if you are currently using this type of workweek or just want to increase your current knowledge in this area.

Does Time and A Half Pay Count Towards Overtime?

When conducting my webinars on the FLSA requirements one area always seems confusing to attendees and that is the eight types of payments that can be excluded when calculating regular rate of pay.  The one found most often to be confusing to my attendees and maybe to you as well is the one that is for bona fide overtime premiums. Bill Pokorny has done an excellent blog post on this subject that I know you will find helpful on this topic. Please take the time to check it out if you offer this type of payment or to improve your general payroll knowledge.

Disaster Relief for Employees and Employers

With the major disasters befalling us many employers and employees are looking for ways to help or seeking help to recover.  The IRS, the states and others are providing relief for these disasters.  For example the IRS is permitting pension plan hardship loans and filing extensions. They are also permitting leave sharing programs and leave donations with favorable taxation.  Click here for outline of the IRS latest tax relief. 

The states are also giving disaster relief.  So far Alabama, Colorado, Georgia, Hawaii, Idaho, Illinois and Wisconsin have posted tax filing/payment relief for employers.  You need to check the individual website for each state to see who is offering this type of relief.

In addition, Ernest and Young’ Workforce Advisory Services are offering a complimentary webcast tomorrow morning on Disaster Relief: Workforce Considerations for Employers at 9 am pacific/12 noon eastern.

Employer Information Report (EEO-1) Pay Data Collection Blocked

The U.S. Equal Employment Opportunity Commission (EEOC) has been notified by the Office of Management and Budget (OMB) that it is initiating a review and immediate stay of the effectiveness of the pay data collection aspects of the EEO-1 Form that was revised on September 29, 2016, in accordance with with its authority under the Paperwork Reduction Act (PRA).

The previously approved EEO-1 form which collects data on race, ethnicity and gender by occupational category will remain in effect. Employers should plan to comply with the earlier approved EEO-1 (Component 1) by the previously set filing date of March 2018.

Acting Chair Lipnic said:

“The EEOC remains committed to strong enforcement of our federal equal pay laws, a position I have long advocated. Today’s decision will not alter EEOC’s enforcement efforts.

I had consistently urged OMB to make a decision on this matter so that stakeholders would be aware of their reporting obligations.

Going forward, we at the EEOC will review the order and our options. I do hope that this decision will prompt a discussion of other more effective solutions to encourage employers to review their compensation practices to ensure equal pay and close the wage gap. I stand ready to work with Congress, federal agencies, and all stakeholders to achieve that goal.”

My editorial:  Is this a good move?  I am not sure, but it seems like it will do more to discourage employers from closing the wage gap.  So far voluntary “encouragement” to bring compensation practices closer to ensure equal pay has not really worked very well, now has it? Having to actually set down on paper, in a report to the EEOC, exactly what the wage gap is in an employer’s compensation was a good way to shed light on the subject.

What do you think?

Last Round for Now: Obama Era New OT Rules Knocked Out

On August 31st, the Judge in charge of the court case for the new OT rules initiated by President Obama issued its final ruling.  Basically he sided with the plaintiffs. For an excellent recap of the ruling I am referring you to Bill Pokorny’s blog.