Now that we’re safely past the holidays, you might think you can relax when it comes to shopping scams. But, sorry to say, there are more threats on the horizon. Both the IRS and FBI warn that end-of-year finance and tax preparation activities create significant opportunities for hackers to target employees.
According to the Society for Human Resource Management (SHRM), these attacks come in different forms. One type of scam appears to come from the IRS itself, and targets payroll departments as they “[prepare] for end-of-the-year tax report deadlines.” Similar to tax-season scams that send emails or make phone calls to individual taxpayers requesting information, these emails ask that payroll departments send employee personal data. As SHRM notes, these emails can be very sophisticated, which means they may be difficult to spot, especially if employees aren’t familiar with these types of scams.
Another strategy involves attempting to access private data through a company’s payroll system. With this scam, users are emailed from what appears to be the payroll system and led to a fake login screen which then steals their credentials. From there, the hacker can use that information to access their personal private data. The hacker can even change direct deposit settings (without the actual employee being notified) to reroute payroll. As scams go, this one has a potentially huge and relatively easy payoff–simply by getting an employee to a fake credential-entry screen, a hacker can not only steal data but fairly effortlessly steal actual cash as well.
How can we protect against these kinds of scams? First of all, normal phishing precautions apply. Make sure that you–and all employees–understand how to properly analyze a potentially suspicious email:
- Does the email include embedded links (in the case of the IRS scam, probably a link to a fake IRS site)?
- Check the URL they lead to–does it look correct? For instance, does a link to the IRS website actually lead there?
- Does the email contain an extreme call to action, and give the recipient an unusually tight deadline under which to complete it?
- Is the “from” email address correct? In other words, is the email actually coming from the person or organization it appears to be coming from?
- If the email leads you to a secondary landing page, does that page look legitimate? (In the case of either an IRS email or an email from a payroll provider, keep in mind that you ought to be able to type in the URL yourself and log in there, which ensures security.)
Particularly with these kinds of scams, common sense is your greatest tool. Don’t let fear or surprise take over–think rationally about the email you’ve just received. Does it make sense that the IRS would be emailing your department about this particular issue or individual? In the case of the second scam, were you expecting an email like this from your payroll provider? Emails of this nature should almost always line up with something you were already aware of internally. If they don’t, your safest bet is to independently verify. Also, remember that the IRS only requests information or action in writing on actual paper, never by email or over the phone.
As always, the best way to stay secure in the ever-changing threat landscape is to maintain awareness and offer ongoing phishing simulation and testing. If these scams could be targeting your departments, make sure employees know they are occurring, and that they understand how to protect themselves.