Payroll and human resources professionals should be aware of a new phishing email scheme to obtain personal information from company payroll records.  According to the Internal Revenue Service (IRS), the scheme involves the receipt of a "spoofing" email that contains, for example, the actual name of the company chief executive officer and requests a list of employees and personnel information from the company payroll office or human resources department.  The IRS reports that cybercriminals then use this information to monetize the personal information received through various means, including by filing fraudulent tax returns for refunds.  Language that has been used in several of these emails includes:

 

 

According to IRS Commissioner John Koskinen, "If your CEO appears to be emailing you for a list of company employees, check it out before you respond.  Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees."

 

This is particularly the case where at least one lawsuit has been filed by employees at one company who claimed that the company negligently released sensitive data (including W-2 forms and Social Security numbers) during a phishing scam.  In Hernandez v.  Sprouts Farmers Market Inc., Case No. 3:16-CV-00958 (S.D. Cal. April 2016), the plaintiffs allege that their current or former employer, Sprouts Farmers Market Inc. was negligent in responding to a  "spoofing" email by sending approximately 21,000 employee 2015 W2 forms to what turned out to be an unknown party in March of 2016.  While the employer subsequently offered affected individuals free credit monitoring after realizing the error, the plaintiffs allege that this remedy is insufficient.  To avoid a similar outcome in other organizations, employers are encouraged to be vigilant in confirming the veracity of a purported request for the email transmission of confidential employee information.