The scam goes like this. As an HR professional, you get an e-mail from your boss (or your boss’s boss) that seems legitimate…and urgent. Something like this:
I’m in the middle of a negotiation so won’t be available by cell or e-mail but I need you to send W-2s for the management team to our new accountants. You can e-mail them to [____________]. Needs to be done today. Sorry for the rush on this and please take this as an exception to normal protocol. Thanks. – Alan
It’s happened before. Indeed, as Bill explained in the article:
“Alan was the chief financial officer,” said William J. Roberts, a Hartford, Conn.-based data privacy attorney with the law firm Shipman & Goodwin LLP. But in this case, it wasn’t Alan who was sending the e-mail. Despite the company’s policy prohibiting employees from sending sensitive documents through e-mail, a newly hired junior HR professional fell for the phishing scam and sent the W-2s to the cyberthief’s e-mail address.
That’s more than just an “Oops” moment.
Although the IRS is taking steps to help reduce this, the best defense is for HR professionals to be aware of this scam. I previously discussed this back in March 2016 with a quick post but it’s worth looking at some of the tips presented in the SHRM article including:
- Train employees on cybersecurity awareness. Many companies do not.
- Use common sense and avoid making electronic requests for sensitive data. It’s not just an e-mail threat; phishing by text is also on the rise….
- If you receive an e-mail from upper management, verify the request….