New Phishing Scheme Targeting Human Resources and Payroll Professionals

The Internal Revenue Service recently issued an alert to warn of a new phishing email scheme specifically targeting human resources and payroll professionals and already hitting a number of companies nationwide. The scheme presents recipients with an email request that appears to be from internal executives asking for employees’ personal information. Failing to recognize the scheme, HR and payroll personnel respond and mistakenly release confidential employee and payroll data including Forms W-2 that contain Social Security numbers and other protected information sought by identity thieves. Scams around tax season are not new, but this version of a phishing scheme is proving particularly effective.

Kroll is actively working with companies to combat this scheme, helping organizations fulfill their regulatory data breach notification requirements, and further recommends the following steps for companies who may fall victim to this type of data theft.

• Consider Your Legal Obligations
  Be sure to assess your legal or compliance requirements for notification. Email is often the easiest way to communicate with your employees, although some laws may still require physical notice as well. There are many experienced attorneys and law firms well-versed with notification laws that can guide you on your obligations.
• Educate Quickly
  Employees, especially those who work in senior leadership and human resources, should be trained immediately on the following: how to identify fraudulent emails or phishing attacks and who to notify internally of suspicious communications.
• Provide Fast and Accurate Communication
  Take care not to over-communicate about the event, which could amplify the employees’ perception of danger or severity, but be certain to succinctly message what happened, what you have done to prevent future incidents and how you have taken steps to provide your employees with identity monitoring solutions.
• Offer Meaningful, Actionable Solutions
  If your organization falls victim to this type of phishing scheme, offer services that include not only identity monitoring, but go further by providing for your employees consultation and restoration services that provide direct access to licensed investigators who can advise on and resolve potential identity theft cases.
• Bring in Experts
  In confirmed breach situations, your employees will be concerned, and the default assumption will likely be that their information is actively being sold online. You can do much to mitigate the situation and their concerns by engaging expert resources versed in notification, call center, identity monitoring and restoration services.
• Deploy Technical Measures
  Prevent the emailing of sensitive data, including W-2 documents, by using technical measures. Configure your email system to deny the receipt of emails appearing to be from mailboxes at your organization (blocked spoofed emails). Configure data loss prevention systems to identify W-2 documents.

Identity thieves often file fraudulent tax returns early in filing season. Usually, the victim is not made aware that the theft has taken place until they find that they cannot file their own legitimate tax return electronically because a return associated with their SSN was already received by the Internal Revenue Service. Additionally, they might receive correspondence by postal mail from the IRS stating that more than one tax return was filed, or they find collection actions were taken against them for a year they did not file a tax return.

Kroll recommends you offer services that go beyond simply monitoring credit. While credit monitoring is meaningful, it does not capture areas of compromise such as tax fraud, employment fraud and criminal impersonation. By offering noncredit monitoring, as well as direct access to investigators to help each employee handle fraud and identity theft issues, you will show your employees that your business is committed to giving them knowledgeable resources to avoid further consequences from the phishing scheme. The reassurance an impacted individual gains from personally speaking with a restoration expert, someone who can answer questions, advise on areas of concern or provide customized preventative action steps, is invaluable.

Should an investigator confirm that an employee’s identity has been stolen or compromised, they can promptly begin a restoration process. Restoration includes investigation of emergent and potentially complex trails of fraudulent activity, making phone calls, issuing fraud alerts, interacting with affected financial institutions and preparing appropriate documentation. The average person is often ill-equipped to handle an identity theft situation, so by providing access to expert guidance, you are going the extra step to fully support your employees in dealing with issues that resulted from the phishing scheme and any resulting breach.

This new phishing scheme represents a persistent trend Kroll continues to see. As the FBI recently warned, all types of phishing schemes have cost U.S. businesses more than $740 million between October 2013 and August 2015. Victim reports have almost tripled since January 2015. Kroll expects the unfortunate trend to continue, and urges companies to take proactive, preventative steps to protect the personal information they store, and recommends offering holistic, responsive solutions to help individuals recover from any resulting identity theft incidents.