Payroll departments must stay vigilant to avoid being taken in by online scams asking them to disclose confidential information
A recent United States Internal Revenue Service (IRS) alert about an email scam targeting payroll and human resources departments is a reminder of how important it is for employers to implement and follow good cyber-safety practices.
In late January, the IRS warned employers to be aware of what it called a “phishing” email scam circulating across the United States. Phishing emails pretend to be from a legitimate organization or person seeking financial and/or identity information.
In the scam the IRS warned about, the emails use a corporate officer’s name to trick payroll and HR workers into disclosing employee names, social security numbers and income information. “The thieves then attempt to file fraudulent tax returns for tax refunds,” said the IRS in a news release.
This type of email scam can trick recipients because the message may contain the actual name of the company’s chief executive officer.
The IRS warned that phishing emails may include phrases such as, “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2s of our company staff for a quick review,” or “Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, salary)?” (W-2s are similar to T4s.)
A spokesperson for the Canada Revenue Agency (CRA) said the agency was not aware of a similar email scam in Canada; however, the CRA advises employers to take precautions to protect their employees’ personal information.
This is essential for payroll departments, which track and store employee earnings, deductions, pension plan information, social insurance numbers and home addresses, among other sensitive information.
On its website, the CRA cautions businesses to be aware of phony emails with attachments or links that purport to come from the agency. It says they may be detailed enough to look legitimate and may even include a CRA logo.
Sample fake messages on the agency’s website show that e-mails pretending to be from the CRA may warn that a criminal complaint has been filed against a specific individual or company for tax evasion. The message often includes a link to what it says is the text of the complaint.
The fake emails may even contain references and links to CRA policy. On its website, the agency provides examples such as, “For more information, please check our business information section, 2nd paragraph, ‘Authorizing a representative’: (web link).” They may also provide a telephone number and email address to contact for more information.
The CRA advises individuals who have provided information or money to scammers to contact the Canadian Anti-Fraud Centre, the police and their financial institution.
Cyber theft is a growing problem that companies must take seriously, says cybersecurity firm Panda Security.
“The number of attacks directed at corporations will increase, as these attacks become more and more advanced. Companies are already the prime target of cybercriminals, as their information is more valuable than that of private users,” the company said in a recent news release.
A 2016 survey by professional services firm PWC Canada on global economic crime found that 28 per cent of Canadian organizations reported experiencing cybercrime over a 24-month period, up from 24 per cent in 2014. The report said cybercrime is the second most prevalent type of economic crime against businesses.
While the survey did not say how big a role email scams play in cybercrime, a 2016 report on fraud from the Canadian Federation of Independent Business stated that, “By far the most common attempted fraud on small businesses are email scams and phishing.”
The report found that 72 per cent of small business owners said they had experienced an email scam or phishing attempt directed at their business in the last year. Twenty per cent said they lost money, goods, services or valuable information through it.
While all businesses are potential targets, smaller firms may not have the IT expertise to help guard against cyber-security threats.
To help small and medium-size businesses, the federal government has produced a guide called Getcybersafe: Protect while You Connect. It is on the government’s website at getcybersafe.gc.ca.
It provides advice on a number of cybersecurity issues, including those affecting the internet, email, mobile devices, remote access, point-of-sale, and data security.
Although the guide focuses on small and mid-size firms, all organizations could benefit from its suggestions.
To guard against potentially dangerous emails, the website and guide offer the following advice:
• Eliminate spam. Citing statistics from cybersecurity firm Symantec Corporation, the guide states that about 69 per cent of all email is spam. It says spam is a problem not only because it can include links that could be harmful if clicked, but also because it can slow down company networks, servers and computers, which could increase a business’ costs and reduce its productivity.
• The guide recommends using a spam filter. “If your business is using email hosted by another company, ask them about what spam filtering services they offer. “If it is not working well, ask for a better spam filter or change email service providers.”
• Be careful of phishing emails that appear to be from another company, a bank or a government department. The guide states that it can be difficult to recognize phishing emails because they often use real logos and familiar looking colours, fonts and layouts. It advises people to watch for links in the email. “In almost every case, the message will include a website URL (link) that they want you to click and a request or demand for confidential information,” the guide states.
• Other signs that a link to a website may not be legitimate include hyphens, numbers, spelling mistakes and @ symbols in place of regular characters. “Encourage employees to manually type URLs in the address bar, rather than clicking on email links,” the government advises on its cyber-safety website. “This can help ensure they are going to a legitimate site and not a malicious or spoofed site.”
• Do not click on unverified or suspicious links even if they are offered as a way to remove you from a distribution list. “Even just clicking a link could give away sensitive information that a cyber-criminal can use to hurt you and your business,” the guide states.
• Never open attachments in spam or suspected spam messages.
• Do not reply to emails that seem suspicious. “Doing so will only confirm that your email address is valid and will actually result in more spam,” the guide states.
• Even if an email looks legitimate, the guide advises checking with a supervisor before disclosing confidential information. If a suspicious email appears to be from an organization that is familiar, phone someone in the organization to confirm whether it is legitimate.
• Keep the company’s employee email list confidential. “If you need to share an email address with someone outside of your business, use a generic email like [email protected],” the guide states.
• For all communication between computers and web-based email servers, the guide advises using HTTPS, which encrypts data (meaning it converts data into a code that only authorized users can access) in order to keep it confidential.
• Set strict password standards for email accounts, whether for business or personal reasons. Employees should not write their passwords on scraps of paper and leave them up in their workstations. “They can be nabbed by people passing by and used to access their accounts,” the guide says.
• Before sending sensitive information by email, the guide says employees should consider whether there is the risk of serious harm to themselves or their employer if the information falls into the wrong hands. “If the answer is ‘Yes,’ then use another more secure method,” it advises. If it is necessary to send the information through email, the guide suggests encrypting email attachments and asking the intended recipient to advise when they receive it.
• When there is an employment termination, employers must ensure that the employee’s email account is closed quickly so that hackers cannot access it.
Employers should also take steps to ensure that their outgoing emails are secure. “Once criminals have access to a legitimate account in your business, they can use it to get the contact information associated with that account, send out spam, launch phishing attacks and more,” the guide states.
It recommends that employers ensure that they use a secure email service and that only authorized employees be allowed to send emails from the business.
In addition, the guide recommends that employers archive sent emails in case they need them in the future for an investigation or for legal or financial reasons.
While all parts of an organization must stay vigilant to avoid being taken in by email scams, it is critical for departments such as payroll and HR that handle sensitive information to stay on top of potential cyber-security threats.
