The IRS has issued further warnings to payroll and human resources professionals to beware of tax season phishing scams requesting details of company employees.

Despite tax season phishing scams receiving a high profile last year, the IRS has seen a 400 percent surge in phishing and malware incidents so far this tax season – many of the scams targeting payroll and human resources professionals to obtain employee data.

The IRS Criminal Investigation department is reviewing multiple cases in which scammers have tricked people into revealing sensitive data that the criminals can monetize by filing fraudulent tax returns for refunds. The emails appear to come from a high ranking executive and request a list of employees including their Social Security numbers. The IRS released details of three typical tax season phishing scams:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

Scammers Targeting Entities outside the Corporate World

The tax season phishing scams are not exclusively targeted towards corporate organizations with large payrolls. In one case being investigated by the IRS, the payroll of the Virginia Wesleyan College was disclosed to an unauthorized third party by a college employee who believed the phishing email was a legitimate internal request. On discovery of the disclosure, college officials immediately notified the FBI, IRS, state taxing authorities, and affected employees.

Within a month – although not promoted by the Virginia Wesleyan College incident – Governor Terry McAuliffe approved amendments to the state’s data breach notification statute. The amendments require employers and payroll service providers to notify the state’s Office of the Attorney General after the discovery of a breach of computerized employee payroll data that compromises the confidentiality of such data. Notification is required even if the breach does not otherwise trigger the statute’s requirement that the employer or payroll service provider notify residents of the breach.