Heads up: In recent months, a number of federal agencies — including the FBI and IRS — are warning employers about new scams targeting employees’ direct deposit, W-2 and I-9 information. These scams have wreaked havoc on scores of companies. Here are three of the most problematic scams you need to be aware of:
- Direct deposit information The most recent warning for employers came from the FBI. It involves a phishing scam in which cybercriminals attempt to get employees to unwittingly provide the scammer access to the company’s self-service payroll platform. In the version of the scam HR will be most interested in, a person pretending to be from the company’s HR department sends an email asking an employee to click on a link provided in the email and log into their self-service account. The scammer will claim the employee must do this in order to:
- view a confidential email from HR
- view changes to the employee’s account, or
- confirm that the account should not be deleted.
However, when the employee clicks on the link and enters the requested info, they’re actually providing info on their W-2 and paystub info. The scammer can then change the employee’s direct deposit instructions, and prevent detection by changing the email address used to notify the employee such changes were made. Scammers may also change an employee’s passwords or other necessary credentials to keep the fraud from being discovered for as long as possible. In many cases, employers aren’t aware of anything until they hear from workers that their wages aren’t being deposited. To prevent falling victim to this scam, the FBI is warning employers to:
- Train employees to watch for phishing attacks and suspicious malware links. Checking the actual e-mail address rather than just looking at the display name can be crucial to spotting the attack early.
- HR self-service platforms should have two-factor authentication. For example, users can be required to enter a second password that is emailed to them or a hard token code or password.
- Set up alerts on self-service platforms for administrators so that unusual activity may be caught before money is lost. Alerts may be triggered for when banking information is changed to online bank accounts typically used by fraudsters.
- Set a time delay between when direct deposit information is changed in the selfservice portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.
- Growing W-2 scam The IRS also recently warned employers about a W-2 scam that impacted “hundreds of organizations and thousands of employees last year.” Reports of a Form W-2 scam skyrocketed last year (900 reports in 2017 compared to a little over 100 in 2016), and cybercriminals have easily been able to trick scores of payroll pros – and other staffers with access to payroll info – into disclosing sensitive info about the entire workforce. In general, the scam involves an email appearing to come from a company exec, asking payroll pros for a list of employees and their W-2s. With this warning, the IRS is hoping to prevent another record year for scammers.
- A convincing I-9 request Finally, if you get a very convincing email from the U.S. Citizenship and Immigration Services (USCIS) agency about info on your employees’ I-9s, don’t follow the instructions. Employers aren’t required to submit Form I-9 to the USCIS, so such a request may raise some red flags for some folks. But the request is tripping up employers because the emails look very authentic. In fact, the emails actually come from a uscis.gov address. Plus, They even contain labels from both USCIS and the Office of Inspector General.
As if that’s not enough to fool time-strapped people, many of the emails also contain other details designed to make the messages appear legitimate — like your company’s mailing address. The USCIS, however, has made it abundantly clear they are not sending any emails to employers about their I-9s. They are also warning firms not to click on any links in the email or respond to the sender. Employers may also be tripped up because the feds recently announced they are ramping up I-9 audits, and firms want to respond as quickly as possible to any I-9-related requests. Again, the USCIS won’t email about an I-9 audit.
Audits of I-9’s are conducted by USCIS or the DOL and notification of an audit is ALWAYS done by written notice from the agency. USCIS NEVER requires employers to submit (or email) I-9 Forms to USCIS unless they are being audited.
To prevent your company from falling victim to this I-9 scam, there are several preemptive steps you should take ASAP:
- First, make sure your employees are aware of the I-9 scam email and what the phony email will look like.
- If workers do receive an I-9 info request, they should forward those messages to the Federal Trade Commission via the ftccomplaintassistant.gov site.
- Also, if you receive an email from the USCIS and aren’t sure it’s legit, you can always double-check by forwarding it to uscis.webmaster@ uscis.dhs.gov.