We've blogged on phishing before, but it's time for a refresh. In 2017 the IRS received approximately 900 complaints about phishing and suspected scams. That’s up from about 100 in 2016, and the number is expected to grow again in 2018. According to the IRS, in 2017 “more than 200 employers were victimized, which translated into hundreds of thousands of employees who had their identities compromised.” Don’t let your company be the next victim.
How to Spot a Phishing Scam
Basically, phishing is a scam where someone sends an unsolicited email with the goal of getting information from a victim. The email might ask for information directly or it might invite the victim to click a link or open an attachment. IRS-cited examples include:
- Your tax software provider sending an email with a link to a login page, asking you to update your information. The IRS says “criminals go to great lengths to create websites that appear legitimate but contain phony log-in pages [where victims] provide money, passwords, Social Security numbers and other information that can lead to identity theft.”
- Receiving an email attachment from your doctor’s office or a friend when it’s really a criminal posing as someone you trust. Scammers sometimes hack email accounts and send mass emails under another person’s name.
- Your boss emailing you, saying “hi, are you working today?” and then asking you to send W-2 information. “In several reported cases, after the fraudsters acquired the workforce information, they immediately followed that up with a request for a wire transfer. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).”
Unsolicited emails with unusual requests are always a red flag. So are emails you’re not expecting that include links or attachments – both can trigger a download of malware that gives hackers access to files. Malware can even track your keystrokes, which lets them see passwords and anything else you type.
Why do we keep falling for it?
The short answer is because we’re human. Social engineers, those clever folks who trick us into giving up information, know if they can evoke an emotional response, we’re more likely to make bad snap decisions. Even if we know better.
One effective trick is “linking e-mail or telephone scams to current and high profile news stories … because things that come to mind quicker are more likely to be judged as important and as likely to be genuine, a concept known as the availability heuristic,” says The Conversation. Imagine an email from a stranger warning about the flood of IRS scams hitting HR departments. It comes with a free download - tips to protect your company. Sound suspicious? It should.
We insist we’re not gullible or careless enough to fall for scams, but we’re all vulnerable. We pride ourselves on helpfulness to our manager or customers. We’re suspicious but avoid confronting people and refusing requests. We crack under pressure or fear we’ve already been breached. Aaron Higbee, CTO for corporate testing company Phish Me, says in Wired, “there’s going to be some trigger that evokes emotionally heightened themes like fear, reward, and urgency” and that can lead the most cautious employee to skip verifying the requester’s identity.
It’s not the computer security system or weak passwords that fail as much as the humans using them fail to protect sensitive information. As Lily Hay Newman writes in Wired, “I was suspicious of plenty of emails just from their subject lines, but never enough to override my desire to confirm that someone hadn't broken into my Amazon account and ordered 1,000 tennis balls.”
How to protect your company and your employees
If you only remember one thing, make it this: “the IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.”
Take these steps:
- Educate staff about online and phishing scams. The IRS's webpage on reporting phishing and online scams explains how to report a scam.
- If you or an employee receive a suspicious email, DO NOT REPLY, OPEN ANY ATTACHMENTS or CLICK ANY LINKS. Forward the email (as is) to email@example.com with the subject “W2 Scam.” Then, delete the original email.
- If you or an employee receive an unexpected phone call from someone claiming to be from the IRS, take their name and badge number. Call 1-800-366-4484 to determine whether the caller is an lRS employee with a reason to call you.
- If you receive an unexpected letter, written notice or fax from the IRS, is it legitimate? Find out on the IRS Understanding Your Notice or Letter page. Fraudulent letters, notices and forms often look authentic. If you suspect that you really do owe taxes, call them at 1-800-829-1040.
- “Consider creating a policy to limit the number of employees who have authority to handle Form W-2 requests and that they require additional verification procedures to validate the actual request before emailing sensitive data such as employee Form W-2s,” suggests the IRS in a recent press release.
What if you were breached already?
The Federal Trade Commission has a free guide for businesses on responding to a data breach including how to:
- Move quickly to secure your system
- Where to start fixing vulnerabilities
- Determine who needs to be notified and how to do it
Employees whose W-2s have been stolen can find help on the Federal Trade Commission website. Employees who have any monetary losses due to an IRS-related incident, can report it to the Treasury Inspector General Administration (TIGTA). And if an employee's tax return is rejected due to a duplicate Social Security number, he/she should file an Identity Theft Affidavit (IRS Form 14039).
Phishing and online scams are scary and, unfortunately, they could be targeting your employees. If you have questions about keeping your company and your employees protected this tax season, or any time, contact Horizon Payroll Solutions for HR support and advice you can trust.