The first couple months of the year can be stressful for companies and their human resources teams as they prepare and distribute necessary documentation for employees. This paperwork includes W-2 forms that report wage and salary information. Employers and employees must file these documents with the IRS every year to receive a possible return on their expenses.
In 2016, businesses were plagued with some complications involving hackers. Fraudsters sent spear-phishing emails – seemingly normal messages that allow people to gain important credentials for information access – to discover the data contained in W-2 forms. These hackers then filed false tax reports to claim returns from the IRS. Criminals are becoming increasingly intelligent in the methods they use to acquire confidential materials. To combat these issues, companies must take the following steps:
"HR teams should educate their employees on examples of spear-phishing hacks."
Inform employees
When fraudulent situations like these become prevalent, it is HR's responsibility to keep employees updated. Simple actions, including distributing an example of a phishing email, will help workers recognize potential cases for hacks. When people know what these messages look like, they'll be less likely to provide the information blindly. This preparation can save companies the time, money and credibility they may have lost if a hack had occurred.
Challenge and confirm
The recent attacks, which hit companies like Snapchat, involved a hacker impersonating executive leadership. It's understandable why employees would then provide the requested information, as they don't want to suspect any ill nature from the head of their organization. This is a problem, however, according to CSO Online. Workers should be educated by HR teams to always challenge these inquiries no matter who it's coming from. This will give administrators time to confirm the origin of the message and take the necessary steps to stop future cases.
Understand inclusion of personal data
It's easy for employees to believe the validity of a spear-phishing email if it contains some pieces of their own information. Elements like home addresses or phone number, passwords or social security number should never be sent in an email, according to PC magazine. This is a sign the message is from an untrustworthy source and should not be followed. The point of these emails is to trick the reader into believing the content is from their own company. If workers receive this type of message, they should report it to HR staff.
Companies should keep their eye on any seemingly fraudulent messages that come through their servers. It's likely that if one person received a phishing email, others did as well. Education of employees is crucial to avoiding large-scale problems in the future.