Every tax season is plagued with scams to defraud individuals and companies for money from tax returns. However, this year has started off with a bang and this means that the healthcare industry has another reason to worry. On March 1, 2016, the IRS issued an alert warning “payroll and human resources professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.” Less than a week later, on March 7, the Attorney General of North Carolina sounded a similar alarm concerning the rise in phishing-related breaches, reporting that “[i]n 2016, 26 phishing breaches have been reported by businesses and other organizations, with 16 of those reports coming within the past two weeks, compared to eight phishing breaches reported in all of 2015.”
The scheme typically begins with a “spoofing” email that appears to have been sent by a company’s CEO or another high-ranking executive to one or more employees in the human resources or payroll departments. In many cases, the sender’s email address is a match, and the tone or style of the message is convincingly similar to that of the individual who is supposed to have sent it. The email contains a request that the recipient respond by sending the “CEO” certain employee personal information, usually including Social Security numbers. The email may ask specifically for W-2 forms, or may instead ask for a compilation of employee data similar to what appears on tax documents. The employee, accepting the request as legitimate, forwards the requested information to the perpetrator.
Companies of all sizes and across all industries, including the healthcare industry, have reported receiving phishing emails that fit this pattern. Media reports that multiple hospitals have been spear-phished with what appears to be this scam. To help avoid a similar fate, organizations should warn their human resources and payroll departments about this increasingly prevalent phishing scheme. Employees should be reminded of privacy and security policies concerning the disclosure of personal information, and be advised that email requests for any type of sensitive data should be confirmed as authentic through direct contact with the apparent sender.
Unfortunately, the W-2 request variant isn’t the only phishing scam putting taxpayers at risk this season, as old-fashioned IRS-impersonation phone hoaxes also remain an issue. You can review a compilation of IRS alerts regarding these threats as well as further information on how to avoid tax-related identity theft on the IRS’s website.