Home » Our Blog » It’s That Time of Year Again: Tax Phishing Season
back to the top
Phishing Season

It’s That Time of Year Again: Tax Phishing Season

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

It’s That Time of Year Again: Tax Phishing Season

With tax season upon us, so are security concerns. Con artists – or “malicious actors” as they’re known in information technology (IT) circles – understand that people may be more susceptible to a well-crafted phishing email during tax-filing and refund time. For example, you would most likely be suspicious of an email about your W-2 form, or a request to complete an attached tax form arrived in July, October or December. But what if the same email landed in your inbox during February, March or April?

Most phishing emails should be easy to identify; telltale signs are poor grammar and punctuation or odd capitalization. However, some attempts will be more sophisticated. Since loose clicks sink ships, here are some examples of active phishing campaigns and some phishing best practices.

The Data-Harvesting Attack

The malicious actor will pose as a potential client, asking for tax preparation assistance. The exchange seems innocuous, but the malicious actor will set up a situation in which the victim lets down his or her guard and opens an attachment at some point during subsequent emails. This attachment exploits a vulnerability, harvesting contact information, which the attacker then uses to impersonate you and claim your tax refund.

The Log-In Request Attack

As a variation of this attack, you could be tricked into clicking a link or opening an attachment that requests that you log-in in with your email account credentials. Again, this scam exposes contact information, opening yourself up to phishing attacks.

The W-2 CEO Fraud Scam

The W-2 CEO Fraud scam is yet another phishing attack that targets innocent people by impersonating the CEO, President or other authority figure in the company. The newest variation of this email attack requests 2016 1040-EZ Form for all employees for accounting purposes and emphasizes urgency. This type of attack is extremely targeted because the malicious actor often knows who has access to the requested information and who most likely would be the employee making such a hasty request. This form of attack rarely has a formal signature, just a simple “thanks,” followed by the sender’s first name and a “Sent from my iPhone” tag. The attacker tries to make the email feel friendly, while also using authority and urgency to motivate the recipient.

Remember that sensitive information never should be transmitted over email. Legitimate institutions understand that email is not secure, and it should not be treated as such in regards to the exchange of sensitive financial and tax information. Paycom has secure ways to upload highly sensitive documents that are entirely independent of email. Anyone who tries to circumvent secure transmitting procedures – intentionally or not – should be instructed on how to share data securely. Any phishing incidents and attempts also should be shared with your information technology security team.

The IRS/Tax Commissioner Scam

For instance, a malicious actor will impersonate the IRS/Tax Commissioner, requesting you to fill out an attached form. The new form request is “due to a system upgrade.” The form name or number might even be a legitimate, though unfamiliar, IRS form, like the W-8BEN-E Form.

However, the fake form will have sections that not only request expected sensitive information, but also extensive bank account information such as:

  • Your bank’s branch address
  • Account officer’s name and email
  • Date account was opened
  • Date and amount of last deposit

This specific information allows the malicious actor to drain your bank accounts, in addition to claiming your tax refunds. Please note that legitimate sources will never need or request this level of account detail in order to file your taxes electronically and to complete a direct deposit.

In more personalized attacks, the malicious actor has figured out and will impersonate who prepares or handles your tax information. Similar to above, the attacker will ask you to fill out a form that may or may not include your banking information. Keep in mind that a malicious actor only needs basic tax information to steal your tax refund.

General Phishing Best Practices:

  1. Never send sensitive information through email.
  2. Be wary of unexpected email links, unexpected attachments and emails that stress urgency or that use fear as a motivator.
  3. Do not verify a suspicious email with an email reply.
  4. Call the sender using contact information you already have. If you don’t have contact information, independently search for the website–do not click any links.
  5. Financial institutions always send personalized emails that are addressed to you, in addition to having the last four digits of your account number. If these things are missing, be suspicious.
  6. Check the hyperlinks in all emails before clicking them by hovering over the link. Alternatively, use a bookmark that you’ve previously saved, use a Google search, or type the address manually.
  7. When looking for the URL domain name, start from the right, not the left.
    • Example: If read from left to right,http://www.paypal.com-verify-transactionid-84937213938021.login.ebay-buyprotection<dot>net/ this link appears to belong to PayPal. However, the address is actually ebay-buyprotection<dot>net, not PayPal.com.
  8. If you suspect you have been phished, contact your IT department or IT security team immediately. If you suspect that you are a phishing target, forward the email to spam@uce.gov, the impersonated institution, and your IT department.
  9. Check for the HTTPS and a closed padlock icon in the address bar anytime you are enter confidential information into an online application. This ensures the security of information entered and indicates a legitimate and registered website.


Remember: legitimate sources, clients, colleagues, bosses, etc., should never:

  • request sensitive information in an email signed with a “Sent from my iPhone” tag
  • send forms through email
  • send generic, impersonalized email (emails that do not address you by name)
  • ask for personal or financial information through email
  • request banking information in paper/electronic document forms
  • resort to threatening or intimidating language to click links in email
  • send emails with poor grammar or awkward language; always check grammar and language usage

Lastly, be suspicious of any email that requests highly sensitive information, or use email addresses that are not from the company’s domain. Check the sender’s email address. It might say it’s someone from your contacts list or a legitimate institution, but it is surprisingly easy to spoof the name associated with an email.

Paul Baresel

by Paul Baresel

Author Bio: With expertise in compliance, data leak prevention and enterprise e-discovery, Paul Baresel brings more than 13 years’ experience in cybersecurity to his role as Paycom’s Information Technology Security Manager. He previously served in similar roles at American Energy Partners, Farmers Insurance and Chesapeake Energy. After graduating from the University of Central Oklahoma with a degree in information systems management, the native Oklahoman earned his MBA from Oklahoma Christian University. Outside of work, he enjoys running, climbing and spending time with his wife and their three children.

Unconscious Bias

3 Steps to Prevent Unconscious Bias in the Interview Process

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

You do it. I do it. We all do it.

No, I’m not talking about converting oxygen into carbon dioxide – although you may need to take a deep breath before reading further. I’m talking about that unquestionably human habit of prejudging someone or something, whether in a positive or negative light.

That little prejudge is known as unconscious bias. Most people harbor some bias, although they may not realize it. For employers, unconscious bias can cause big trouble if interviewers unfairly favor or dismiss a candidate during the hiring process.

According to Harvard Business Review, when interviewers without standardized questions are left to decide which candidate to hire, their decisions tend to be subjective and unconsciously influenced by fixed thoughts on race, gender and ethnicity. Considering the strict regulations set forth by the U.S.  Equal Employment Opportunity Commission (EEOC), interviewers can get into hot water quickly, without even realizing they’re doing something wrong.

To help avoid risk, empower your hiring managers to follow these three steps.

Introduce performance-based questions

As the great equalizers, performance-based questions center on what employees must do to be successful in their roles. This includes questions to assess how they have addressed challenges in other roles, and hypothetical questions to judge how candidates would approach the challenges your company faces. The trick is to ask each candidate the same questions so you have a fair assessment.

If you’re wondering what a performance-based question sounds like, here’s an example: “Thinking about a time in which a project didn’t go as planned, what actions did you take to correct it as quickly as possible?”

Measure applicants’ answers

Performance-based questions are worth nothing unless you have a system to compare applicants’ answers. Next, you’ll want to compare their responses with something called a standardized rubric. Using a rubric means everyone involved in the hiring process agrees on what the important questions are and what an excellent answer would be. Without it, comparisons simply are not apples-to-apples. You easily can create a rubric by asking those who already perform the role what success looks like.

Train your staff

Finally, train your staff to recognize and counter biases during the hiring process. This is especially important when multiple interviewers screen for an open position. Make sure everyone knows to take good notes so they can compare candidates’ answers with the rubric. It’s important that everyone involved is on the same page, especially with which elements indicate future success.

Eliminating unconscious bias in the interview process is hard, especially when multiple parties are involved. That’s why it’s critical to factor performance-based questions into the equation, making it much easier to focus on candidates who possess the right skill set for the position at hand.

Learn more by downloading our free e-book, Discover What Your Front-Line Managers Need to Know About Hiring, Diversity Inclusion and EEOC Compliance.

Related articles:

Disclaimer: This blog includes general information about legal issues and developments in the law. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and must not be taken, as legal advice on any particular set of facts or circumstances. You need to contact a lawyer licensed in your jurisdiction for advice on specific legal problems.

Tags: , , ,
Posted in Blog, Compliance, Employment Law, Featured

Monica Johnson

by Monica Johnson

Author Bio: As Paycom’s client marketing specialist, Monica Johnson utilizes a mixture of marketing and human capital management knowledge gained from years of industry experience. A graduate from the University of Central Oklahoma, Johnson has been with Paycom since 2013 and has served in numerous roles during her career with the company. In her spare time, she enjoys baking, exploring Oklahoma City and sipping coffee, while reading a good book, at one of her favorite local shops.

June 1: National Doughnut Day

5 Offbeat Holidays to Celebrate at Work … and Boost Employee Engagement

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

Halloween, Thanksgiving and the “holiday season” all fall in the fourth quarter, meaning the last three months of the year are jam-packed with celebrations and events, not only in your employees’ personal lives, but likely in your workplace as well.

But that festive atmosphere doesn’t have to fall only when the leaves do. Thanks to little-known holidays or theme days, you can easily discover things to celebrate throughout the year with your team. In fact, businesses may see benefits by doing so.

Impact on morale

Gallup found that 51% of employees who have a close work friendship consider themselves engaged, while 75% who have a best friend at work said they plan to be employed at their current company one year from now. Furthermore, those reporting having best friends at work were found to have higher levels of health stress management, even though they experienced the same stress as those who did not have good friends at work.

Building time for your team members to get to know each other and strengthen relationships is clearly good for morale, which is good for business. So how can your employees really get to know each other? With your help. Celebrating holidays or theme days year-round gives your employees opportunities to build connections with each other without the extra stress the traditional holiday season often brings.

Bonus tip: Get leadership involved! If employees see their managers skipping the events to stay at their desks, they’ll feel like they shouldn’t participate, either. Make sure to get buy-in from everyone and clearly state the beneficial impact of engagement.

Start with these

You can give your employees something to look forward to every year if they know your business makes a regular workday a day to celebrate something small. Start a tradition that’s unique to your company. Here are a few holidays that might be right for your organization to celebrate.

Jan. 26: Fun at Work Day

Make this day one your employees won’t want to miss! Maybe you bring in food trucks for lunch or schedule a team-building activity at a local place that holds corporate events and specializes in team-building (like cooking or painting classes). For extra fun, keep the day’s activities a surprise and try to do something different every year.

March 14: National Pi Day

What better way to commemorate 3/14 by holding a bake-off with a trophy for the office’s best pie? The winner can keep the prize on his or her desk and have bragging rights for the year.

April 26: Take Your Sons and Daughters to Work Day

Every organization may not be able to have an event like this during the workday. If not, you could organize an event after work as an open house to encourage employees to share with their children what they do. It also will give your employees an opportunity to introduce their families to each other without having to wait for your holiday part. Plus, it’s never too early to start recruiting.

May 4: May the Fourth Be With You

Named for sounding similar to a catchphrase from a super-popular movie franchise, May 4 is a fun “holiday” to recognize at the office, particularly if you know you have fans of the galactic saga. You might organize a costume contest or perhaps play one of the films in the company cafeteria or a conference room.

June 1: National Doughnut Day

This one’s pretty easy: Buy doughnuts for your staff. Take a midmorning break and enjoy them together. Maybe spring for some coffee or bagels, too.

You can keep track of holidays like these, as well as critical HR and compliance deadlines, by downloading our free digital 2018 HR & Payroll Calendar.

Tags: , ,
Posted in Blog, Employee Experience, HR Management

Callie Johnson

by Callie Johnson

Author Bio: As a writer for Paycom, Callie Johnson creates content for the company’s various marketing and communications initiatives. Having earned her bachelor’s degrees in journalism from the University of Oklahoma and web design/development from Full Sail University, she has written for companies of all sizes. Outside of the office, she enjoys hand-lettering, going to the movies and spending time with her family and dogs.

2018 Form W-4 Changes Employees Should Consider

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

Ever since President Trump signed the Tax Cuts and Jobs Act (TCJA) into law last December, payroll professionals have been anticipating an updated IRS Form W-4. After issuing new federal income tax withholding guidance in January as a result of the TCJA, the IRS released the 2018 version of Form W-4, Employee’s Withholding Allowance Certificate, on Feb. 28.

The 2018 Form W-4 has been implemented in the Paycom system.

Interim guidance

The IRS previously released Notice 2018-14, which provided guidance on the usage of the existing 2017 version of Form W-4. Among other things, this notice:

  • extended the effective period of the 2017 version for purposes of claiming exemption from withholding temporarily until Feb. 28, 2018
  • described the procedures employees may claim exemption from withholding for 2018 using the 2017 Form W-4
  • temporarily suspended the requirement that employees must furnish a new Form W-4 within 10 days of changes in status that reduce withholding allowances they are entitled to claim
  • allowed employees (including newly hired employees) to use the 2017 Form W-4 to update their withholding allowances until 30 days after the 2018 Form W-4’s release (March 30)
  • stated that employees who furnish new Form W-4s using the 2017 version do not need to furnish a 2018 Form W-4 after it is released


Changes to consider

Solely due to the changes passed in the TCJA, the IRS is not requiring employees to submit a 2018 Form W-4 to their employer, although they may if they choose. However, substantial changes have been made to the worksheets associated with the 2018 Form W-4, so employees should consider how the new rules will affect their specific tax and withholding situation when making the decision.

Despite the TCJA’s removal of personal exemptions from year-end income tax calculations, Form W-4 still includes a Personal Allowances Worksheet. Its credits section has been revised to allow for:

  • the increased child tax credits as adjusted for income
  • adjustments for credits claimed for other dependents
  • a new line for “Other credits” that will be calculated by the employee using a worksheet found in the 2018 version of Publication 505 (yet to be released)

Additionally, the form’s Deductions and Adjustments Worksheet has been revised to adjust for the new values for standard deductions, as defined by the TCJA, while the Two-Earners/Multiple Jobs Worksheet contains updated wage brackets in the tables used to calculate allowances depending on multiple job households.

‘Paycheck checkup’

To help employees see the differences that completing a 2018 Form W-4 will affect their take-home pay, the IRS released an updated Withholding Calculator online.

The IRS encourages all employees use it to conduct “a quick ‘paycheck checkup’” and use the information it returns to determine if they would like to adjust their withholding. These values can be entered by the employee directly into Paycom’s Employee Self-Service tool to complete a new Form W-4.

Disclaimer: This blog includes general information about legal issues and developments in the law. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and must not be taken, as legal advice on any particular set of facts or circumstances. You need to contact a lawyer licensed in your jurisdiction for advice on specific legal problems.

Tags: ,
Posted in Blog, Compliance

Author Bio: Robert Barclay has been the Tax Research Team Lead at Paycom since 2012, and has been instrumental in such company projects as the development of its Affordable Care Act compliance product, implementation of geolocation services and redesign of Form W-2. He joined Paycom in 2011, bringing more than 20 years of experience with the capital markets consulting practices of Ernst & Young in Memphis, Tenn., and Birmingham, Ala.; and Causey Demgen & Moore in Denver, Colo. A native Oklahoman, Barclay is a graduate of Rhodes College in Memphis, where he played football as linebacker.


Contact Us

  • Are you a current Paycom Client?



    • Talent Acquisition

    • Time & Labor Management

    • Payroll

    • Talent Management

    • HR Management

  • Subscribe me to Paycom's newsletter.


We promise never to sell, rent or share your personal information with a third party unless required by law. By submitting this form, you accept our Terms of Use and Privacy Policy.