By Marlene Y. Satter
Plan advisors should be aware that the IRS has alerted human resources professionals to a new hacker scheme
The alert warns payroll and HR professionals to beware of an emerging phishing e-mail scheme that purports to be from company executives and requests personal information on employees.
With hackers increasingly turning their attention to the reams of personal data
, not to mention the cash, in the $5 trillion 401(k) market, it’s a scheme plan sponsors and administrators should also be on the watch for.
The scheme, unfortunately, has already seen some success, amid the surge in phishing e-mails so far this year.
Several have already fallen victim to e-mails that get payroll and human resources offices to mistakenly e-mail payroll data, including Forms W-2 that contain Social Security numbers and other personally identifiable information, to cybercriminals posing as company executives.
This particular phishing scheme is characterized as “spoofing.”
The e-mail will typically contain the actual name of the company’s chief executive officer, and will on the surface come from the “CEO” to a company payroll office employee requesting a list of employees and information including SSNs.
According to the IRS, these e-mails will also contain some of the following statements, or variations on them:
- “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
- “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
- “I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,” John Koskinen, IRS commissioner, said in a statement.
Koskinen added, “Now the criminals are focusing their schemes on company payroll departments. If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”
That goes for retirement plans
Originally posted on BenefitsPro.com