Scammers target Payroll–here’s what you should do

December 20, 2016

Last tax season was the first time scammers targeted Payroll departments. Payroll departments received phony emails supposedly from their real CEOs, requesting employees’ identifying information, including their Social Security numbers (SSNs). Recently, the IRS announced that tax pros received emails asking them to update their IRS accounts, but which directed them to a fake website.

All of this is a reminder that the opening of tax season is a bonanza for identity thieves. There are ways to protect against it.

W-2 pilot project continues. Last tax season, the IRS initiated a pilot project with several large third-party payroll providers that required them to include a unique 16-character alphanumeric verification code on Copies B and C of employees’ 2015 W-2s in a separate, labeled box. The code is computed using W-2 data and an IRS-provided algorithm. It’s used to verify the authenticity of W-2 data on e-filed 1040s and is entered when employees e-file their 1040s.

About two million 2015 W-2s included the code. The pilot was successful enough so that it will continue for 2016 W-2s. In addition, the IRS says that it’s expanding it to include more third-party providers. The verification code will now appear on 50 million 2016 W-2s.

Requests for early W-2s. Many commercial tax prep firms aggressively hawk their ability to e-file 1040 forms early. But they can’t, unless employees provide them with early W-2s. Even if you honored these requests in past years, you can use the new accelerated, consolidated W-2 filing deadline of Jan. 31, 2017, as the reason why you will no longer do so. Be proactive: Avoid employees’ grumblings by sending an email to employees about your new policy.

Say no to company “execs.” Scammers are resourceful, so it’s likely that they’ll try again to worm their way into your payroll data to obtain employees’ SSNs.

Idea: Suggest that organizational charts be removed from your company’s website. You can also take these steps to ensure the integrity of your payroll data:

  • Inform upper management that as an identity theft prevention measure, the Payroll department will not respond to emails asking for employees’ personal identifying information. Instead, all requests must be in writing, on paper and verified.
  • Require that Payroll staff use strong passwords (numbers, symbols, upper and lowercase letters) on all computers and tax software programs and require that they change their passwords every 60 to 90 days.
  • Train Payroll staff in security and nondisclosure, especially to outsiders who ask for information to be faxed or emailed. Also warn staff against making information vulnerable by failing to immediately file and lock up personnel files after use.