HR pros targeted in new scams: 3 schemes the FBI, IRS say to watch for
Heads up: In recent months, a number of federal agencies — including the FBI and IRS — are warning employers about new scams targeting employees’ direct deposit, W-2 and I-9 information. And these scams have wreaked havoc on scores of companies.
Here are three of the most problematic scams HR pros need to be aware of:
1. Direct deposit information
The most recent warning for employers came from the FBI. It involves a phishing scam in which cybercriminals attempt to get employees to unwittingly provide the scammer access to the company’s self-service payroll platform.
In the version of the scam HR pros will be most interested in, a person pretending to be from the company’s HR department send an email asking an employee to click on a link provided in the email and log into their self-service account.
The scammer will claim the employee must do this in order to:
- view a confidential email from HR
- view changes to the employee’s account, or
- confirm that the account should not be deleted.
However, when the employee clicks on the link and enters the requested info, they’re actually providing info on their W-2 and paystub info. The scammer can then change the employee’s direct deposit instructions, and prevent detection by changing the email address used to notify the employee such changes were made.
Scammers may also change an employee’s passwords or other necessary credentials to keep the fraud from being discovered for as long as possible. In many cases, employers aren’t aware of anything until they hear from workers that their wages aren’t being deposited.
To prevent falling victim to this scam, XpertHR says the FBI is warning employers to:
- Train employees to watch for phishing attacks and suspicious malware links. Checking the actual e-mail address rather than just looking at the display name can be crucial to spotting the attack early.
- HR self-service platforms should have two-factor authentication. For example, users can be required to enter a second password that is e-mailed to them or a hard token code.
- Set up alerts on self-service platforms for administrators so that unusual activity may be caught before money is lost. Alerts may be triggered for when banking information is changed to online bank accounts typically used by fraudsters.
- Set a time delay between when direct deposit information is changed in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.
2. Growing W-2 scam
The IRS also recently warned employers about a W-2 scam that impacted “hundreds of organizations and thousands of employees last year.”
Reports of a Form W-2 scam skyrocketed last year (900 reports in 2017 compared to a little over 100 in 2016), and cybercriminals have easily been able to trick scores of payroll pros – and other staffers with access to payroll info – into disclosing sensitive info about the entire workforce.
In general, the scam involves an email appearing to come from a company exec, asking payroll pros for a list of employees and their W-2s.
With its warnings, the IRS is hoping to prevent another record year for scammers. For more details or what to do if you’ve fallen victim to the scam, click here.
3. A convincing I-9 request
Finally, if you get a very convincing email from the U.S. Citizenship and Immigration Services (USCIS) agency about info on your employees’ I-9s, don’t follow the instructions.
The I-9 info request is yet another in a series of sophisticated scams targeting employers. And the scam appears to working.
Employers aren’t required to submit Forms I-9 to the USCIS, so such a request may raise some red flags for some folks. But the request is tripping up employers because the emails look very authentic. In fact, the emails actually come from a uscis.gov address. Plus, they even contain labels from both USCIS and the Office of Inspector General.
As if that’s not enough to fool some time-strapped HR pros, many of the emails also contain other details designed to make the messages appear legitimate — like your company’s mailing address.
The USCIS, however, has made it abundantly clear it’s not sending any emails to employers about their I-9s. It’s also warning firms not to click on any links in the email or respond to the sender.
Employers may also be tripped up because the feds recently announced they are ramping up I-9 audits, and firms want to respond as quickly as possible to any I-9-related requests. Again, the USCIS won’t email about an I-9 audit.
As Alliance 2020, a background screening and information services provider, reminds employers:
“Audits of I-9’s are conducted by the Immigration and Customs Enforcement or the Department of Labor and notification of an upcoming audit is always done by a written notice from the agency. USCIS never requires employers to submit Forms I-9 to USCIS unless they are being audited….never requires an employer to email copies to them. At this time, the Officials will choose where they will conduct a Form I-9 inspection. For example, officials may ask that an employer bring Form I-9’s to a U.S. Immigration and Customs Enforcement field office. Sometimes, employers may arrange for an inspection at the location where the forms are stored.”
To prevent your company from falling victim to this I-9 scam, there are several preemptive steps you should take ASAP:
- First, make sure your employees are aware of the I-9 scam email and what the phony email will look like.
- If workers do receive an I-9 info request, they should forward those messages to the Federal Trade Commission via the ftccomplaintassistant.gov site.
- Also, if you receive an email from the USCIS and aren’t sure it’s legit, you can always double-check by forwarding it to uscis.webmaster@uscis.dhs.gov.