Three Schemes Targeting Human Resources Professionals
Posted: February 14, 2018
In recent months, a number of federal agencies — including the Federal Bureau of Investigation (FBI) and Internal Revenue Service (IRS) — are warning employers about new scams targeting employees' direct deposit, W-2 and I-9 information. And these scams have wreaked havoc on scores of companies.
Here are three of the most problematic scams of which human resources professionals need to be aware:
1. Direct deposit information
The most recent warning for employers came from the FBI. It involves a phishing scam in which cybercriminals attempt to get employees to unwittingly provide the scammer access to the company's self-service payroll platform.
The version of the scam human resources professionals will be most concerned about: a person pretending to be from the company's human resources department sends an email asking an employee to click on a link provided in the email and log into their self-service account.
The scammer will claim the employee must do this in order to:
- view a confidential email from human resources
- view changes to the employee's account, or
- confirm that the account should not be deleted.
However, when the employee clicks on the link and enters the requested information, they are actually providing information to the scammer on their W-2 and paystub. The scammer can then change the employee's direct deposit instructions, and prevent detection by changing the email address used to notify the employee such changes were made.
Scammers may also change an employee's passwords or other necessary credentials to keep the fraud from being discovered for as long as possible. In many cases, employers are not aware of anything until they hear from workers that their wages are not being deposited.
To prevent falling victim to this scam, XpertHR says the FBI is warning employers to:
- Train employees to watch for phishing attacks and suspicious malware links. Checking the actual e-mail address rather than just looking at the display name can be crucial to spotting the attack early.
- human resources self-service platforms should have two-factor authentication. For example, users can be required to enter a second password that is e-mailed to them or a hard token code.
- Set up alerts on self-service platforms for administrators so that unusual activity may be caught before money is lost. Alerts may be triggered for when banking information is changed to online bank accounts typically used by fraudsters.
- Set a time delay between when direct deposit information is changed in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.
2. Growing W-2 scam
The IRS also recently warned employers about a W-2 scam that impacted "hundreds of organizations and thousands of employees last year."
Reports of a Form W-2 scam skyrocketed last year (900 reports in 2017 compared to a little over 100 in 2016), and cybercriminals have easily been able to trick scores of payroll professionals — and other staffers with access to payroll information — into disclosing sensitive information about the entire workforce.
In general, the scam involves an email appearing to come from a company executive asking payroll professionals for a list of employees and their W-2s.
With its warnings, the IRS is hoping to prevent another record year for scammers. More details, or what to do if you have fallen victim to the scam, are available on the IRS website.
3. A convincing I-9 request
Finally, if you get a very convincing email from the U.S. Citizenship and Immigration Services (USCIS) agency about information on your employees' I-9s, do not follow the instructions.
The I-9 information request is yet another in a series of sophisticated scams targeting employers. And the scam appears to be working.
Employers are not required to submit Forms I-9 to the USCIS, so such a request may raise some red flags for some experienced professionals. But the request is tripping up employers because the emails look very authentic. In fact, the emails actually appear to come from a USCIS email address (email@example.com). However, according to the USCIS: "This is not a USCIS email address." Plus, they even contain labels from both USCIS and the Office of Inspector General.
As if that is not enough to fool some time-strapped human resources professionals, many of the emails also contain other details designed to make the messages appear legitimate — like your company's mailing address.
The USCIS, however, has made it abundantly clear it is not sending any emails to employers about their I-9s. It is also warning firms not to click on any links in the email or respond to the sender.
Employers may also be tripped up because federal agencies recently announced they are ramping up I-9 audits, and firms want to respond as quickly as possible to any I-9-related requests.
Again, the USCIS will not email about an I-9 audit.
As Alliance 2020, a background screening and information services provider, reminds employers:
Audits of I-9s are conducted by the Immigration and Customs Enforcement or the Department of Labor and notification of an upcoming audit is always done by a written notice from the agency. USCIS never requires employers to submit Forms I-9 to USCIS unless they are being audited [and] never requires an employer to email copies to [the USCIS]. At this time, the Officials will choose where they will conduct a Form I-9 inspection. For example, officials may ask that an employer bring Form I-9s to a U.S. Immigration and Customs Enforcement field office. Sometimes, employers may arrange for an inspection at the location where the forms are stored.
To prevent your company from falling victim to this I-9 scam, there are several preemptive steps you should take right away:
- First, make sure your employees are aware of the I-9 scam email and what the phony email will look like.
- If workers do receive an I-9 information request, they should forward those messages to the Federal Trade Commission via the ftccomplaintassistant.gov site.
- Also, if you receive an email from the USCIS and are not sure it is legit, you can always double-check by forwarding it to firstname.lastname@example.org.
Posted In: Human Resources, General; Employment Eligibility Verification (Form I-9); Fraud, Abuse, and Scams; Department of Labor (DOL); Internal Revenue Service (IRS); Immigration & Customs Enforcement (ICE)
Want to know more? Read the full article by Jared Bilski at HR Morning