Tag Archives: IRS

Warning to HR Directors of Phishing Scam Seeking Employee W-2’s


Peyton SmithWritten by:  Peyton Smith
Shareholder, Litigation Section, Labor & Employment Practice Group at Munsch Hardt Kopf & Harr PC

I was contacted this week by the Director of Human Resources for a technology client with a request for immediate assistance tied to a data breach that has unfortunately, becoming alarmingly too frequent during the first three months of 2016.   She had received an email from the President of her company at the end of her workday, noting that their senior leadership was working on salary, bonus and budget forecasting for their company and requesting that she send to him the W-2’s for key company personnel via PDF.  The email was written in his typical conversational style and was signed in the manner in which he signed all his internal emails.  Further, his reply email listed a return email address to his direct email account.  Before she sent the information or replied, she confirmed the email and signature block and verified with a Vice-President that she could forward the requested information.  Upon review of the email and messaging, the Vice-President authorized the production of the requested information and employee W-2’s. Feeling well protected, the HR Director sent the email and W-2’s requested.

The email was unfortunately a scam with a hacker who had copied the President’s email signature block, matched his communication and signature style, word-for-word, including creating a “ghost” over his correct email address to cloak the email address to appear to be for the intended recipient.  My client was fortunate since they caught the data breach quickly but the information was now in the hands of someone outside the company who clearly had less than honorable ideas with what to do with the information they had gathered. Furthermore, hundreds of employees now had their W-2 information, including their name, address, social security numbers and other confidential information, taken by a skilled hacker.

In addressing this issue with my client in recent days, we learned that this current phishing scam is incredibly popular right now.  The FBI and local law enforcement advised us that there have been more than 700 reported similar cases of hackers fraudulently securing employee W-2 information in the month of March 2016 alone. The hackers appear to be targeting companies with less than 3,000 employees and the email requesting W-2 and similar employee information is nearly always directed to the human resources contact at the targeted company. The IRS has recently released an alert warning employers of this scam and to alert them to be increasingly vigilant in protecting company and employee information.  (See  the following link as to the latest alert: https://www.irs.gov/uac/Newsroom/IRS-Alerts-Payroll-and-HR-Professionals-to-Phishing-Scheme-Involving-W2s)   “This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

If you have not yet done so, employers are strongly encouraged to implement a proactive plan to decrease the risk of unauthorized disclosure of such information.  Each state has different requirements for employee protection and penalties which might be levied against employers for failing to implement appropriate safeguards for protecting employee confidential information, as well as the notice requirements in the event a data breach occurs.  In the event that a data breach occurs and confidential employee information has been accessed by unauthorized parties, employers should immediately address the issue with more aggressive internal safeguards, contact legal counsel regarding how best to strategically address internal and external legal ramifications of the breach, notify law enforcement (local and the FBI’s Cyber Crimes Division), and inform the IRS of the fraudulent access to employee social security numbers.  Simultaneously, employers have a duty to promptly inform employees of the breach and what increased protections have been put in place to decrease the risk of future data breaches.

In light of these concerns and the increased risk of hacking personal information, employers are also encouraged to review current insurance policies and to consider whether to purchase cyber insurance coverage. Additional security software for utilization by the human resources and accounting department might be a wise and worthy investment to consider as a deterrent to hacking vulnerability.  With the increased efforts of hackers seeking W-2 and other personal employee information, prudent employers will partner with their legal counsel to address such concerns prior to being a hacking victim.  When considering best practices in protecting employee information, employers should follow the adage  “the best defense is a good offense”.

Peyton N. Smith is a Shareholder in the Labor & Employment and Business Litigation practice groups at Munsch Hardt Kopf & Harr, P.C. and is based in the firm’s Austin office.

Cybercriminals Target IRS E-filing PIN application


IRS counters efforts to hack e-filing PIN system.

The Internal Revenue Service (IRS) has released details about a cyber attack upon its Electronic Filing PIN application. The IRS reported that it has stopped the cyber attack.

IRS officials said they identified unauthorized attempts involving approximately 464,000 unique Social Security Numbers (SSNs), of which 101,000 were used to successfully access an E-file PIN. The automated attack used personal data stolen elsewhere outside the IRS to attempt to generate E-file PINs for the SSNs.

“Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for SSNs,” the IRS said in a prepared statement. “No personal taxpayer data was compromised or disclosed by IRS systems. The IRS also is taking immediate steps to notify affected taxpayers by mail that their personal information was used in an attempt to access the IRS application.”

All affected taxpayers will be notified by mail of the attack. “The IRS is also protecting their accounts by marking them to protect against tax-related identity theft,” the agency added.

The IRS was also quick to assure that the attack was not related to the temporary shutdown of the e-filing system, during which time the IRS could not accept many returns due to a system-wide computer failure, according to Fortune.

IRS cybersecurity experts are currently assessing the situation, and the IRS is working closely with other agencies and the Treasury Inspector General for Tax Administration. The IRS also is sharing information with its Security Summit state and industry partners.

In this recent event, cyber criminals used a list of known SSNs to make repeated attempt to access the IRS’s Get My Electronic Filing PIN portal. But as Naked Security pointed out, “Ironically, an E-Filing PIN is a sort of second factor of authentication (2FA), that you need, along with other personal data, when submitting online tax returns. In other words, it seems that you can request your second factor of authentication by using your first factor, which isn’t quite the idea of 2FA.”

This new attack follows a 2015 massive data breach at the IRS, during which hackers stole information from approximately 330,000 taxpayers to obtain $50 million in federal funds through false tax returns. An inspector general report following the breach discovered that the computer system the IRS had been using to detect identity theft may have been vulnerable to hackers.

These breaches underscore the importance of ensuring proactive data security that circumvents the opportunities for such events to occur in federal databases. It also highlights concerns about requiring multi-factor authentication to access sensitive data.