Home » Our Blog » It’s That Time of Year Again: Tax Phishing Season
back to the top
Phishing Season

It’s That Time of Year Again: Tax Phishing Season

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

It’s That Time of Year Again: Tax Phishing Season

With tax season upon us, so are security concerns. Con artists – or “malicious actors” as they’re known in information technology (IT) circles – understand that people may be more susceptible to a well-crafted phishing email during tax-filing and refund time. For example, you would most likely be suspicious of an email about your W-2 form, or a request to complete an attached tax form arrived in July, October or December. But what if the same email landed in your inbox during February, March or April?

Most phishing emails should be easy to identify; telltale signs are poor grammar and punctuation or odd capitalization. However, some attempts will be more sophisticated. Since loose clicks sink ships, here are some examples of active phishing campaigns and some phishing best practices.

The Data-Harvesting Attack

The malicious actor will pose as a potential client, asking for tax preparation assistance. The exchange seems innocuous, but the malicious actor will set up a situation in which the victim lets down his or her guard and opens an attachment at some point during subsequent emails. This attachment exploits a vulnerability, harvesting contact information, which the attacker then uses to impersonate you and claim your tax refund.

The Log-In Request Attack

As a variation of this attack, you could be tricked into clicking a link or opening an attachment that requests that you log-in in with your email account credentials. Again, this scam exposes contact information, opening yourself up to phishing attacks.

The W-2 CEO Fraud Scam

The W-2 CEO Fraud scam is yet another phishing attack that targets innocent people by impersonating the CEO, President or other authority figure in the company. The newest variation of this email attack requests 2016 1040-EZ Form for all employees for accounting purposes and emphasizes urgency. This type of attack is extremely targeted because the malicious actor often knows who has access to the requested information and who most likely would be the employee making such a hasty request. This form of attack rarely has a formal signature, just a simple “thanks,” followed by the sender’s first name and a “Sent from my iPhone” tag. The attacker tries to make the email feel friendly, while also using authority and urgency to motivate the recipient.

Remember that sensitive information never should be transmitted over email. Legitimate institutions understand that email is not secure, and it should not be treated as such in regards to the exchange of sensitive financial and tax information. Paycom has secure ways to upload highly sensitive documents that are entirely independent of email. Anyone who tries to circumvent secure transmitting procedures – intentionally or not – should be instructed on how to share data securely. Any phishing incidents and attempts also should be shared with your information technology security team.

The IRS/Tax Commissioner Scam

For instance, a malicious actor will impersonate the IRS/Tax Commissioner, requesting you to fill out an attached form. The new form request is “due to a system upgrade.” The form name or number might even be a legitimate, though unfamiliar, IRS form, like the W-8BEN-E Form.

However, the fake form will have sections that not only request expected sensitive information, but also extensive bank account information such as:

  • Your bank’s branch address
  • Account officer’s name and email
  • Date account was opened
  • Date and amount of last deposit

This specific information allows the malicious actor to drain your bank accounts, in addition to claiming your tax refunds. Please note that legitimate sources will never need or request this level of account detail in order to file your taxes electronically and to complete a direct deposit.

In more personalized attacks, the malicious actor has figured out and will impersonate who prepares or handles your tax information. Similar to above, the attacker will ask you to fill out a form that may or may not include your banking information. Keep in mind that a malicious actor only needs basic tax information to steal your tax refund.

General Phishing Best Practices:

  1. Never send sensitive information through email.
  2. Be wary of unexpected email links, unexpected attachments and emails that stress urgency or that use fear as a motivator.
  3. Do not verify a suspicious email with an email reply.
  4. Call the sender using contact information you already have. If you don’t have contact information, independently search for the website–do not click any links.
  5. Financial institutions always send personalized emails that are addressed to you, in addition to having the last four digits of your account number. If these things are missing, be suspicious.
  6. Check the hyperlinks in all emails before clicking them by hovering over the link. Alternatively, use a bookmark that you’ve previously saved, use a Google search, or type the address manually.
  7. When looking for the URL domain name, start from the right, not the left.
    • Example: If read from left to right,http://www.paypal.com-verify-transactionid-84937213938021.login.ebay-buyprotection<dot>net/ this link appears to belong to PayPal. However, the address is actually ebay-buyprotection<dot>net, not PayPal.com.
  8. If you suspect you have been phished, contact your IT department or IT security team immediately. If you suspect that you are a phishing target, forward the email to spam@uce.gov, the impersonated institution, and your IT department.
  9. Check for the HTTPS and a closed padlock icon in the address bar anytime you are enter confidential information into an online application. This ensures the security of information entered and indicates a legitimate and registered website.

 

Remember: legitimate sources, clients, colleagues, bosses, etc., should never:

  • request sensitive information in an email signed with a “Sent from my iPhone” tag
  • send forms through email
  • send generic, impersonalized email (emails that do not address you by name)
  • ask for personal or financial information through email
  • request banking information in paper/electronic document forms
  • resort to threatening or intimidating language to click links in email
  • send emails with poor grammar or awkward language; always check grammar and language usage

Lastly, be suspicious of any email that requests highly sensitive information, or use email addresses that are not from the company’s domain. Check the sender’s email address. It might say it’s someone from your contacts list or a legitimate institution, but it is surprisingly easy to spoof the name associated with an email.


Paul Baresel

by Paul Baresel


Author Bio: With expertise in compliance, data leak prevention and enterprise e-discovery, Paul Baresel brings more than 13 years’ experience in cybersecurity to his role as Paycom’s Information Technology Security Manager. He previously served in similar roles at American Energy Partners, Farmers Insurance and Chesapeake Energy. After graduating from the University of Central Oklahoma with a degree in information systems management, the native Oklahoman earned his MBA from Oklahoma Christian University. Outside of work, he enjoys running, climbing and spending time with his wife and their three children.

Affordable Care Act (ACA)

Trump Announces 2 Changes to ACA

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

On Oct. 12, President Donald Trump ordered comprehensive changes to the nation’s health insurance system while also, in a separate move, ended health care subsidies for low-income Americans. The White House billed the decisions as relief to those suffering under the Affordable Care Act (ACA), while the opposition condemned these changes as actions aimed at undercutting the ACA.

Expansion of association health plans and short-term insurance

The executive order signed by Trump directs federal agencies to make it easier to set up “association health plans,” which are groups of small businesses that pool together to buy insurance. The order also seeks to broaden the definition of short-term insurance from three months to almost a year in duration.

By expanding both these types of plans, the administration expects insurance to be less costly than the plans sold on the state-based insurance exchanges, which provide more extensive coverage options. One concern, however, is healthy customers will jump out of the individual markets for cheaper plans, leaving sicker customers on the underwritten exchanges.

Health care subsidies to end

Trump also will end health care subsidy payments to insurance companies that used them to pay out-of-pocket costs for low-income people receiving coverage through the exchanges. The future of these payments have been in doubt for months – dating back to the Obama administration – because of a lawsuit filed by House Republicans. The lawsuit alleged the Obama administration was paying these subsidies illegally because Congress had never authorized the cost-sharing arrangement.

Until now, the Trump administration had continued the payments on a monthly basis. A group of state attorneys general has indicated it will sue to block the administration from ending these payments, which it claims will cause the individual markets to unravel.

ACA Awaits Repeal or Repair

What this means for employers

Neither of these changes is aimed primarily at employers subject to the ACA employer mandate, so clients using Paycom’s ACA services likely won’t see a direct impact to their obligations under the law. However, the tweaks indirectly could result in higher costs to employer-sponsored plans.

Disclaimer: This blog includes general information about legal issues and developments in the law. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and must not be taken, as legal advice on any particular set of facts or circumstances. You need to contact a lawyer licensed in your jurisdiction for advice on specific legal problems.

Tags: , ,
Posted in ACA, Blog, Compliance, Employment Law, Featured

Jason Hines

by Jason Hines


Author Bio: Jason Hines is a Paycom compliance attorney. With more than five years’ experience in the legal field, he monitors developments in human resource laws, rules and regulations to ensure any changes are promptly updated in Paycom’s system for our clients. Previously, he was an attorney at the Oklahoma City law firm Elias, Books, Brown & Nelson. Hines earned a bachelor’s degree from the University of Central Oklahoma and his juris doctor degree from the Oklahoma City University School of Law, where he graduated cum laude. A fan of the Oklahoma City Thunder, Hines also enjoys exploring the great outdoors with his wife and daughter.

EEO-1 Pay Data

EEO-1 Pay Data Requirements on Indefinite Hold

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

The EEO-1 report is changing once again. Recently, the new pay data and hours worked requirements announced last year were suspended indefinitely by the Office of Information Regulatory Affairs. While employers will report Equal Employment Opportunity (EEO) information in a familiar format, they need to be aware of key date changes.

3 important changes

The biggest change to the report is the suspension of the requirement to report pay data and hours worked. For 2017, employers will report in the prior 2016 format, which only collects data on race, ethnicity and gender by occupational category. When the new EEO-1 requirements were announced by the Obama administration last year, the 2017 reporting deadline was moved from Sept. 30, 2017, to March 31, 2018.

According to an Equal Employment Opportunity Commission (EEOC) statement, “the previously approved EEO-1 form which collects data on race, ethnicity and gender by occupational category will remain in effect. Employers should plan to comply with the earlier approved EEO-1 (Component 1) by the previously set filing date of March 2018.” Additionally, the previously approved “workforce snapshot” period of Oct. 1 through Dec. 31 will remain in effect. Therefore, employers must submit reports based on a payroll period within that time frame.

Summary of the changes:

  • The deadline to file EEO-1 reports for 2017 is March 31, 2018;
  • Reports must be based on a payroll period in October, November or December of 2017; and,
  • Employers may use the same EEO-1 form used in 2016.

The EEOC has not yet fully updated its website to reflect this new information, but the home page provides some explanation.

Pay data requirement gone?

The pay data and hours worked requirements simply have been suspended. Until the Office of Management and Budget (OMB) completes its review of the rule, their future is unclear. The OMB is concerned that some aspects of the revised rule “lack practical utility, are unnecessarily burdensome, and do not adequately address privacy and confidentiality issues.” The acting chair of the EEOC, Victoria Lipnic, has been vocal with her opposition to the pay data requirement, which she voted against when it was initially proposed.

Although the EEO-1 report appears to be ditching the pay data requirement, state governments may step in to fill the void. Under a proposal in California, employers in the state with more than 500 employees would be required to submit information to the Secretary of State on gender wage differentials. Although this measure has not been signed by the governor, employers should monitor this legislation, which would go into effect in 2019.

Disclaimer: This blog includes general information about legal issues and developments in the law. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and must not be taken, as legal advice on any particular set of facts or circumstances. You need to contact a lawyer licensed in your jurisdiction for advice on specific legal problems.

Tags: , ,
Posted in Blog, Compliance, Employment Law, Featured

Jason Hines

by Jason Hines


Author Bio: Jason Hines is a Paycom compliance attorney. With more than five years’ experience in the legal field, he monitors developments in human resource laws, rules and regulations to ensure any changes are promptly updated in Paycom’s system for our clients. Previously, he was an attorney at the Oklahoma City law firm Elias, Books, Brown & Nelson. Hines earned a bachelor’s degree from the University of Central Oklahoma and his juris doctor degree from the Oklahoma City University School of Law, where he graduated cum laude. A fan of the Oklahoma City Thunder, Hines also enjoys exploring the great outdoors with his wife and daughter.

Employee Experience

The Winning Workforce Equation

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

The term “the employee experience” is thrown around frequently in HR today. It’s not the same as “employee engagement,” another well-known industry buzzword. With trends evolving at such a rapid pace, what is this new concept that’s making waves in the industry?

Looking for a deeper dive into the employee experience? Check out the HR Break Room podcast episode, “Happy Employees = Happy Customers: The Equation for a Winning Workforce” with author Jacob Morgan.

According to the author of The Employee Experience Advantage, Jacob Morgan, the employee experience is the sum of a worker’s experiences, good or bad, during his or her term of employment at an organization. A business can enhance that experience by addressing and influencing the elements of culture, technology and physical space. He calls the combination of these three things, “the employee experience equation.” As Morgan said, “When you invest in the employee experience, you’ll start to notice an engaged workforce. And an engaged workforce will deliver business outcomes.”

Culture – a side effect

A healthy corporate culture is one of the three critical pieces of a great employee experience. Employees spend a significant amount of their lives at work, which makes the atmosphere and community of the organization essential. When people spend 40 hours a week of what Morgan calls “prolonged exposure” in the workplace with their peers, certain company ideas and attitudes are all but contagious. A healthy culture can promote a fun environment, hard work ethic and cohesive teamwork. On the flip side, an unhealthy culture can promote stressful work, toxic drama and a “business first, people second” environment that inevitably will lead to high turnover.

It is important to remember no organization can have a truly “perfect” culture; the trick is to create your ideal culture by ensuring your organization’s core values align with the people you want to see in your organization.

Technology – supports employee growth

As the central nervous system of your organization, technology will continue to power the future of work. The employee experience is only possible because of the communication and collaboration available through today’s technology. Without advances such as applicant tracking systems or messenger apps, a business cannot have an optimal recruitment or talent-tracking process, or real-time feedback or recognition. Technology empowers everything when we think about the future of work: your people and your business needs.

Organizations that don’t invest in technology will find that the human aspects surrounding it will start to break down. Investing in technology ensures your employees have all the tools they need to succeed and grow.

Space – a symbol

Whether a corporate headquarters, coffee shop or home office, everybody works in a physical space, the last critical piece to the equation. The physical workspace is also a symbol that represents your organization, and as technology continues to evolve, leading companies are creating incentives to bring employees back to the office. Creating a vibrant, technological workplace connects your employees’ sense of belonging and purpose to their jobs.

The employee experience is the next future investment for organizations dedicated to workforce happiness. Ensure your employees’ well-being by taking the first steps in your organization by opening communication in these three key areas: culture, technology and physical space.

Tags: ,
Posted in Blog, Employee Experience, Featured, Talent Management

caleb.masters

by Caleb Masters


Author Bio: Caleb is the host of The HR Break Room and a Webinar and Podcast Producer at Paycom. With more than 5 years of experience as a published online writer and content producer, Caleb has produced dozens of podcasts and videos for multiple industries both local and online. Caleb continues to assist organizations creatively communicate their ideas and messages through researched talks, blog posts and new media. Outside of work, Caleb enjoys running, discussing movies and trying new local restaurants.

X

Learn more about Paycom

  • Are you a current Paycom Client?

    Yes

    No

    • Talent Acquisition

    • Time & Labor Management

    • Payroll

    • Talent Management

    • HR Management

  • Subscribe me to Paycom's newsletter.

*Required

We promise never to sell, rent or share your personal information with a third party unless required by law. By submitting this form, you accept our Terms of Use and Privacy Policy.