Spoofing Emails Being Sent to Obtain Confidential Employee Information from Employers

One of the many ways scammers attempt to either obtain information from individuals in organizations or get them to take actions that they shouldn’t take is to send an email to the individual purporting to be from a high placed individual in the organization that requests or demands immediate action.  The IRS has issued a notice that such a spoofing email scam is now aimed at getting payroll information from organizations (“IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s”).

Too many individuals are woefully unaware of how easy it is to “fake” a from address in an email.  Frankly it’s a trivial exercise, but the fact that users tend to accept the from address at face value allows a nefarious party to send an email purporting to be from the President, CEO, etc. of the company asking for information to be sent or some action to be taken.

In this case a person with access to the company’s payroll information on employees (such as a controller, HR manager, etc.) receives an email (apparently from the owner, CEO, etc.) requesting that personal information on employees be sent to that person immediately as a reply to the email.  The reply-to address of the email is, as you likely have guessed, not the address of the owner, CEO, etc. but rather an address controlled by the scammers. 

The information received can then be used for all variations of identity theft perpetrated against the employee(s).  That information also will likely be added to a database of information obtained about the employee(s), as well as information about employees at the organization which can then be used to leverage obtaining even more information from the organization via other email or social engineering scams where the third party appears to have information only a “legitimate” source could have about the company.

The IRS warns that it has become aware of a number of such emails.  The notice contains the following examples of some of the details that have been in such emails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

Since organizations routinely publish information online about their top management and, even if they don’t, the officers or employees post information about their association with the organization via social media sites like LinkedIn and FaceBook, pulling off this scam doesn’t take great sophistication.

This is not likely to be the only such spoofing scam you may run into.  CPAs in public practice should make clients aware that there is a risk that someone may try such a “spoofing” scam claiming to come from the CPA’s offices.  Again, the link between the CPA firm and the client can often be derived from publicly available information (think about a Form 990 disclosure that shows the preparer of the 990, along with a list of officers) or from information obtained from obtaining such information from other sources.  That can include a situation where a CPA firm staff member’s contact list is compromised or even the simple situation of being able to look at social networks and contacts from social media sites.

Quoting from the well-known line from the Spiderman series “with great power comes great responsibility.”  And, unfortunately, while the use of email provides great power, those using it have to recognize that they have a great responsibility to understand the risks of using that communication medium—and this cannot be treated as “something my IT guy will take care of” because at least some of these scams will get around even the most thorough countermeasures that can be designed into an IT system.