PROVIDENCE, RI — After receiving a phone call from a local business alerting us to a scam, Attorney General Peter F. Kilmartin is warning all businesses of an emerging email scam that purports to be from company executives and requests personal information of employees.
The scammers send emails that appear to be from the CEO to human resources or payroll divisions or third-party payroll companies requesting payroll data for employees including W-2 forms that contain Social Security numbers and other personally identifiable information. The emails contain names and titles of actual CEOs or other company executives, yet these emails are sent using “spoofing” technology to mimic legitimate emails.
With the information in hand, cybercriminals can use the information to file fraudulent tax returns for refunds, among any number of other ways to monetize the data.
According to the IRS, the following are some of the details contained in the e-mails:
- “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
- “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”
- “I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
Should an HR professional or payroll company receive one of these emails, Attorney General Kilmartin advises they call the CEO or person who allegedly sent the email to confirm they did indeed send the email. The Attorney General strongly advises to not merely respond via email seeking confirmation that the person did indeed send the email as the email response will be directed to the spoofed email being directed by the cybercriminal.
“As someone who had federal tax returns filed in their name, I know firsthand the time and expense that being a victim of this crime can cost,” said Attorney General Kilmartin. “Email scammers are getting more and more clever, which means that people must be more on guard than ever.”
If a company determines they are a victim of this came, the Attorney General suggests the company contact the Office’s Consumer Protection Unit, report the information to the IRS and file a police report. In addition, companies should alert their employees and offer them free credit monitoring services. For employees, they should put a fraud alert on their credit accounts by contacting the three credit reporting agencies.