Is that email REALLY from your boss? IRS warns of new phishing scheme

Let’s pretend you work in HR or in the payroll department of your company. Or better yet, you ARE the payroll department at your company.

It’s a typical Friday morning… you’re at your desk, planning your day, ready to tackle the odds and ends of the week so you can head into the weekend with a fresh slate.


Oh. An email from the CEO. That may or may not happen very often, but it definitely catches your attention. The email simply says:

Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.

Who knows what she wants with that information, or how she’ll use it, but she wouldn’t ask for it if she didn’t have a good reason. Right?


hacker1Well, maybe not. That exact email was an example given by the IRS when they recently released a report describing the newest scheme that is being used by cybercriminals to gain access to employee data. The IRS reports that criminals will “spoof” the email address of an executive level employee at a company and will then use that email address to send a request to Payroll or HR for specific, sensitive employee data, including W-2s and social security numbers.

If you receive a communication of this nature, we believe it is worth your time to double check with that person to ensure the request, in fact, came from them.

At StratEx, we take security very seriously. We have many safeguards in place to keep our clients’ employees’ data secure:

  • Customizable Security Roles: So that the users who access employee data will be able to access only what they should, where they should.
  • Security Tokens at Login: Two-factor authentication is required for any security roles that have access to sensitive employee data. This provides an extra layer of security, and an audit trail showing when the user logged in, and whether or not they were successful.
  • Security Audit Trails: When accessing employees’ most sensitive data, like social security numbers, there is another audit trail, showing who accessed it and when.

These security features allow our clients to determine the level of access for each person in their company, and give them the tools to understand who has accessed sensitive data.

We believe keeping sensitive employee data in the database and out of email Inboxes is a best practice for the highest-level of security. So think twice when you get that ping! and a request for a bunch of sensitive data. No matter WHO is asking for it.