The FBI is now warning employers of a possible phishing scam taking place. This one targets the employees themselves. It focuses on companies that use self-service platforms where employees can view their pay, get duplicates of W-2s and update direct deposit information. The fraudsters are impersonating the employer’s human resources department and asking employees to update or confirm their personal information via a fake website. The employee receives a fake email that asks the employee to click on the link provided to log into his self-service account. The email asks the employee to logon to view a private email from HR, to view changes that have been made to their account, or to confirm that the account is still active.
By clicking on the link and entering their self-service credentials, the employee is actually giving their logon information to the fraudster. The fraudster than can go into the self-service account himself and access all of the information including W-2 and pay stub info. He can also change the direct deposit information. In order to prevent the victim from from knowing what is going on, the fraudster will also change the email address that the self-service platform uses to send alerts when changes are made.
Payroll and human resources professionals need to be on the lookout for this type of email. With the new tax bill causing new tax withholding decisions, many employees are making good use of these types of self-service portals. This will be especially true when the new Form W-4 is issued by the IRS. Employees will want to make sure they have the proper withholding under the new tax tables. And it would not be “unusual” for payroll or HR to send out emails during this time-frame.
It is also imperative to practice what the FBI calls “good email hygiene”. Train your employees to watch for phishing attacks and to also check the actual email address rather than just looking at the display name. Both these items can be crucial to seeing the attack early, before the damage is done.