Be Cautious about requests for information

If you received an email from your CEO requesting W-2 data, you’d probably want to reply as quickly as possible. One problem: You could inadvertently be sending payroll information to a hacker.

Phishing schemes involving W-2s have spiked recently – so much so that the IRS has just issued a warning to payroll and HR professionals.

“Spoofing” emails will appear to be from someone inside your organization, often and executive, asking for a list of employees and information, such as Social Security Numbers (SSN).

What makes these attacks so difficult to stop is that it’s easier than ever to get inside information on a company. All hackers need to do is check out LinkedIn pages to find out who’s who in the organization.

The emails coming in to Payroll departments sound legit, warns the IRS. Here is example:

Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2s of our company staff for a quick review.

Or a request might be for details about employees, including each person’s name, SSN, date of birth, home address and salary.

Protect confidential data

You can avoid getting duped. Here are six steps you can take:

Don’t rush to reply. It’s better to take a few minutes to be safe that to turn over employees’ private data to cybercriminals.

Always check that an email is coming from a work address before replying. Plus, look carefully for minor discrepancies – such as tsmith@xyz.com as opposed to tsmith@xyz.org.

Watch out for subtle tricks. Some hackers will put in typos to make the email appear more legitimate.

Compare the current email from the alleged VIP to older emails. How similar is the writer’s voice?

Don’t be afraid to say, “I’m not comfortable sending that over the email” if it contains potentially sensitive information.

If something feels off, pick up the phone and call the sender or walk over to his or her desk – confirm the request before proceeding.