Warning: Once Again Payroll Professionals are Being Targeted by Scams

 The Internal Revenue Service and its Security Summit partners have once again warned payroll professionals of an uptick in phishing emails targeting them that this time involve payroll direct deposit and wire transfer scams.

 These business email compromise/business email spoofing (BEC/BES) tactics generally target all types of industry and employers. The IRS and the Summit partners, consisting of state revenue departments and tax community partners, are concerned these scams – a well as the Form W-2 scam — could increase as the 2019 tax season approaches.

These emails generally impersonate a company employee, often an executive, and are sent to payroll or human resources personnel. The email from the “employee” asks the payroll or human resource staff to change his or her direct deposit for payroll purposes.The “employee” provides a new bank account and routing number, but it is, in reality, controlled by the thief. Most of the time this scam is usually discovered quickly, but not before the victim has lost one or two payroll deposits.

As a reminder, we have discussed in a previous blog, there is another version of the BEC/BES scam, the emails impersonate a company executive and are sent to the company employee responsible for wire transfers. The email requests that a wire transfer be made to a specific account that is controlled by the thief. Companies that fall victim to this scam can lose tens of thousands of dollars.

 A common theme in these and many other email scams is that they include grammatical and spelling mistakes.

The IRS has provided an example of one such email (edited by IRS) that is displayed at the top of this blog.

Payroll/Tax professionals and others should also report tax-related phishing emails to phishing@irs.gov. This account is monitored by IRS cybersecurity professionals.This reporting process also enables the IRS and Security Summit partners to identify trends and issue warnings. Because of the dangers to tax administration posed by the Form W-2 scam, the IRS set up a reporting process for employers. Employers who fall victim to the W-2 scam should report it at dataloss@irs.gov. There is a process employers can follow at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers. Employers who receive the W-2 scam email but do not fall victim should forward the email to phishing@irs.gov.

FBI Warns of Another Phishing Scam Against Employees

The FBI is now warning employers of a possible phishing scam taking place.  This one targets the employees themselves. It focuses on companies that use self-service platforms where employees can view their pay, get duplicates of W-2s and update direct deposit information.  The fraudsters are impersonating the employer’s human resources department and asking employees to update or confirm their personal information via a fake website.  The employee receives a fake email that asks the employee to click on the link provided to log into his self-service account.  The email asks the employee to logon to view a private email from HR, to view changes that have been made to their account, or to confirm that the account is still active.

By clicking on the link and entering their self-service credentials, the employee is actually giving their logon information to the fraudster. The fraudster than can go into the self-service account himself and access all of the information including W-2 and pay stub info.  He can also change the direct deposit information. In order to prevent the victim from from knowing what is going on, the fraudster will also change the email address that the self-service platform uses to send alerts when changes are made.

Payroll and human resources professionals need to be on the lookout for this type of email.  With the new tax bill causing new tax withholding decisions, many employees are making good use of these types of self-service portals.  This will be especially true when the new Form W-4 is issued by the IRS.  Employees will want to make sure they have the proper withholding under the new tax tables.  And it would not be “unusual” for payroll or HR to send out emails during this time-frame.

It is also imperative to practice what the FBI calls “good email hygiene”.  Train your employees to watch for phishing attacks and to also check the actual email address rather than just looking at the display name.  Both these items can be crucial to seeing the attack early, before the damage is done.