What it is and History
Identity thieves are trying to obtain personal information in order to misappropriate personal identifying information and steal from the victims. A phishing scheme that was popular in 2016, and that will probably be tried in 2017 is spoofing organizations for payroll records. The Treasury Inspector General for Tax Administration estimates this fraud scheme has cost US businesses $21 billion.
There are two variations of this scheme. One is a spoofed email that appears to come from the CEO of the company. The other is a spoofed email that appears to have been sent by the IRS or the state Department of Revenue. In both cases the email instructs the recipient to fax or email copies of the organizations W-2s and 1099s. The spoofed email will often claim several employees have been identified as potential victims of tax return identity fraud and the taxing authorities need the documents to help prevent further fraud and to protect the organizations employees from identity theft.
Employees of the State of Vermont where hit with a similar fraud scheme. In this fraud the employees received a phishing email that indicated:
“Dear Account Owner, Our records indicate that you are enrolled in the Vermont State paperless W2 Program. As a result, you do not receive a paper W2 but instead receive e-mail notification that your online W2 (i.e. “paperless W2”) is prepared and ready for viewing. Your 2015 W2 corrected statement is ready for viewing, follow the link below Click Here to Login To opt out of the Paperless W2 Program, please login to Employee Self Service at the link above and go to the W2 Delivery Choice webpage and follow the instructions. Vermont State’s Human Resource Management Systems”
When the employees clicked on the link and attempted to retrieve their W-2 forms the criminals misappropriated their user IDs and passwords, which they used to log onto the state’s payroll system to obtain copies of the employees W-2s.
The most important internal control to prevent these types of fraud is training. Employees need to be trained to watch for phishing emails and to report them to their supervisors.