Sontiq logo

Your HR Team is a Target for Phishing Scams

corporate meeting

Every day, businesses must deal with malicious emails flooding their inboxes. Some are packaged to deliver ransomware or malware, while others simply attempt to trick recipients into revealing valuable information. Others are business email compromise (BEC) scams, hijacking the email address of an executive to extract money or proprietary company data.

These kinds of phishing attempts continue to plague organizations. Phishing has been the top attack vector for more than 15 quarters and the FBI reports that BEC scams caused more than $43 billion in losses in a 5-year period.

For businesses of all sizes, the risk is real — and an organization’s human resources functions can be a prime target.

What makes HR departments such an attractive target for phishing scams?

Human resources teams are responsible for recruiting talent, benefits enrollment and employee relations. As a result, HR’s systems are filled with personally identifiable information (PII) of the employees, contractors and applicants they deal with. Many HR professionals also have access to financial applications that work in tandem with payroll departments.

These personnel records contain highly sensitive data — and that is often what fraudsters are after when trying to breach company defenses. BEC attacks are a common tactic when trying to access that valuable PII. The W-2 phishing scam is a good example.

How does a W-2 phishing scam work?

Here’s how W-2 phishing scams work:

  • Cybercriminals hijack an executive or organization leader’s email address to send a message to a payroll or HR employee.
  • The message may start with a simple greeting, such as “Hey, are you in today?” or “Can you help me?”, but eventually ends in a request that HR email all W-2 forms for all employees.
  • Once those files are sent, it may take weeks for payroll or HR to realize a data theft has occurred.
  • Meanwhile, the cybercriminals quickly take advantage of the compromise, filing fraudulent tax returns before the employee can file their legitimate return.

How does tax season impact your risk?

While the threat of phishing scams is always there, it is especially true for HR departments during the first three months of each year. The increase during tax season is no accident. Tax fraud appeals to cybercriminals because it’s effective and very lucrative. The IRS reports that it uncovered more than $5.7 billion in tax fraud during fiscal year 2022.

Protect your employees

Regardless of the industry you’re in, it is important that your entire staff is prepared to recognize a phishing email — but it is particularly important for your human resources and payroll teams. Some things to remember include:

  • Beware of unusual communications. If you receive an email or text from an executive or a vendor that seems out of the ordinary, be cautious. Call them directly from a number you know is correct to verify the request. Never trust a phone number or link in the suspicious email.
  • Check to see if the displayed link matches the underlying hyperlink. Without clicking the link, hover your cursor over any hyperlinks. Does the pop-up address match the link in the email? Or did the legitimate-looking URL suddenly change to redirect you to another site?
  • Pay attention to appeals for urgency or requests for immediate action. Scammers will try to make you act quickly by saying that your account will be closed or a purchase will be cancelled if you do not act immediately. They want you to act before you think. Don’t fall for it.
  • Question requests for sensitive personal information. Banks, vendors and other reputable institutions won’t ask for personal or account information by email, so don’t provide it. Again, if you have concerns, play it safe and call the sender directly using a known-to-be-safe number to verify the legitimacy of the communication.
  • Check for spelling or grammatical errors. Phishing scams can intentionally include misspelled words, incorrect grammar or other issues in the text. If the recipient responds, the criminal knows the person isn’t paying close attention — indicating they may be vulnerable to a potential phishing attempt.