The animal heralding March's arrival this tax-filing season is not a lion or a lamb, but a fish, or rather a phish.
Yep, a new phishing scam has emerged, with tax crooks trying out a new scheme that targets payroll and human resources professionals.
The Internal Revenue Service today issued an alert to the folks who handle employee data to be wary of a phishing email purporting to be from company executives seeking personal information on employees.
I know it's thrilling -- or terrifying if your big boss is anything like The Donald (and I've also worked for a few of those fu…folks) -- to hear from the top executive. Just make sure it is indeed the top executive.
But let's take a quick reality check.
Do you really think a corporate CEO wants or needs the Social Security numbers and other personal data of all workers? I've worked for companies, big and small, and management has plenty of other things to worry about. That's why businesses have HR departments or outsource to payroll companies.
And if the big boss really is seeking personal data on you or any of your coworkers, you might want to look for another job.
Fake boss criminal requests: In most cases, such corporate big-wig requests for rank-and-file personal data is a scam.
So take a minute before replying. Then don't reply. Instead, tell your boss, who then should reward you for your attentiveness and diligence in protecting workers and the company.
In this latest phishing ploy, one of several the IRS has seen surging this tax-filing season, the faux corporate execs are asking for payroll data, including W-2 forms that contain Social Security numbers and other personally identifiable information.
"This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments," warns IRS Commissioner John Koskinen.
"If your CEO appears to be emailing you for a list of company employees, check it out before you respond," adds Koskinen. "Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees."
Unfortunately, says IRS Criminal Investigation, some folks have already been caught in these cyber criminals' phishing net. They then will use the data to file fraudulent tax returns for refunds.
Spotting the spoofed boss: This latest phishing variation is known as a spoofing email. It will contain, for example, the actual name of the company chief executive officer.
The purported CEO sends an email to a company payroll office employee and requests a list of employees and information including Social Security numbers.
Here are some of the requests the IRS says it has seen in the fake CEO e-mails:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary) as at 2/2/2016.
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.
Big phishing season: This business-themed phishing warning comes on the heels of the IRS' recent alert to consumers about the explosion this filing season of fake tax-related emails.
Uncle Sam's tax collector says it has seen an approximate 400 percent surge in phishing and malware incidents so far this tax season.
No taxpayer or tax-related group is immune.
And they cover a wide range of topics, ranging from criminal requests for information about refunds, filing status, personal information, transcripts and tax-filing personal identification numbers.
So be alert. I know you get a lot of tax-related messages this time of year. Some of it is legitimate. Just make sure of that before responding.
You also might find these items of interest: