Home » Our Blog » It’s That Time of Year Again: Tax Phishing Season
back to the top
Phishing Season

It’s That Time of Year Again: Tax Phishing Season

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

It’s That Time of Year Again: Tax Phishing Season

With tax season upon us, so are security concerns. Con artists – or “malicious actors” as they’re known in information technology (IT) circles – understand that people may be more susceptible to a well-crafted phishing email during tax-filing and refund time. For example, you would most likely be suspicious of an email about your W-2 form, or a request to complete an attached tax form arrived in July, October or December. But what if the same email landed in your inbox during February, March or April?

Most phishing emails should be easy to identify; telltale signs are poor grammar and punctuation or odd capitalization. However, some attempts will be more sophisticated. Since loose clicks sink ships, here are some examples of active phishing campaigns and some phishing best practices.

The Data-Harvesting Attack

The malicious actor will pose as a potential client, asking for tax preparation assistance. The exchange seems innocuous, but the malicious actor will set up a situation in which the victim lets down his or her guard and opens an attachment at some point during subsequent emails. This attachment exploits a vulnerability, harvesting contact information, which the attacker then uses to impersonate you and claim your tax refund.

The Log-In Request Attack

As a variation of this attack, you could be tricked into clicking a link or opening an attachment that requests that you log-in in with your email account credentials. Again, this scam exposes contact information, opening yourself up to phishing attacks.

The W-2 CEO Fraud Scam

The W-2 CEO Fraud scam is yet another phishing attack that targets innocent people by impersonating the CEO, President or other authority figure in the company. The newest variation of this email attack requests 2016 1040-EZ Form for all employees for accounting purposes and emphasizes urgency. This type of attack is extremely targeted because the malicious actor often knows who has access to the requested information and who most likely would be the employee making such a hasty request. This form of attack rarely has a formal signature, just a simple “thanks,” followed by the sender’s first name and a “Sent from my iPhone” tag. The attacker tries to make the email feel friendly, while also using authority and urgency to motivate the recipient.

Remember that sensitive information never should be transmitted over email. Legitimate institutions understand that email is not secure, and it should not be treated as such in regards to the exchange of sensitive financial and tax information. Paycom has secure ways to upload highly sensitive documents that are entirely independent of email. Anyone who tries to circumvent secure transmitting procedures – intentionally or not – should be instructed on how to share data securely. Any phishing incidents and attempts also should be shared with your information technology security team.

The IRS/Tax Commissioner Scam

For instance, a malicious actor will impersonate the IRS/Tax Commissioner, requesting you to fill out an attached form. The new form request is “due to a system upgrade.” The form name or number might even be a legitimate, though unfamiliar, IRS form, like the W-8BEN-E Form.

However, the fake form will have sections that not only request expected sensitive information, but also extensive bank account information such as:

  • Your bank’s branch address
  • Account officer’s name and email
  • Date account was opened
  • Date and amount of last deposit

This specific information allows the malicious actor to drain your bank accounts, in addition to claiming your tax refunds. Please note that legitimate sources will never need or request this level of account detail in order to file your taxes electronically and to complete a direct deposit.

In more personalized attacks, the malicious actor has figured out and will impersonate who prepares or handles your tax information. Similar to above, the attacker will ask you to fill out a form that may or may not include your banking information. Keep in mind that a malicious actor only needs basic tax information to steal your tax refund.

General Phishing Best Practices:

  1. Never send sensitive information through email.
  2. Be wary of unexpected email links, unexpected attachments and emails that stress urgency or that use fear as a motivator.
  3. Do not verify a suspicious email with an email reply.
  4. Call the sender using contact information you already have. If you don’t have contact information, independently search for the website–do not click any links.
  5. Financial institutions always send personalized emails that are addressed to you, in addition to having the last four digits of your account number. If these things are missing, be suspicious.
  6. Check the hyperlinks in all emails before clicking them by hovering over the link. Alternatively, use a bookmark that you’ve previously saved, use a Google search, or type the address manually.
  7. When looking for the URL domain name, start from the right, not the left.
    • Example: If read from left to right,http://www.paypal.com-verify-transactionid-84937213938021.login.ebay-buyprotection<dot>net/ this link appears to belong to PayPal. However, the address is actually ebay-buyprotection<dot>net, not PayPal.com.
  8. If you suspect you have been phished, contact your IT department or IT security team immediately. If you suspect that you are a phishing target, forward the email to spam@uce.gov, the impersonated institution, and your IT department.
  9. Check for the HTTPS and a closed padlock icon in the address bar anytime you are enter confidential information into an online application. This ensures the security of information entered and indicates a legitimate and registered website.

 

Remember: legitimate sources, clients, colleagues, bosses, etc., should never:

  • request sensitive information in an email signed with a “Sent from my iPhone” tag
  • send forms through email
  • send generic, impersonalized email (emails that do not address you by name)
  • ask for personal or financial information through email
  • request banking information in paper/electronic document forms
  • resort to threatening or intimidating language to click links in email
  • send emails with poor grammar or awkward language; always check grammar and language usage

Lastly, be suspicious of any email that requests highly sensitive information, or use email addresses that are not from the company’s domain. Check the sender’s email address. It might say it’s someone from your contacts list or a legitimate institution, but it is surprisingly easy to spoof the name associated with an email.


Paul Baresel

by Paul Baresel


Author Bio: With expertise in compliance, data leak prevention and enterprise e-discovery, Paul Baresel brings more than 13 years’ experience in cybersecurity to his role as Paycom’s Information Technology Security Manager. He previously served in similar roles at American Energy Partners, Farmers Insurance and Chesapeake Energy. After graduating from the University of Central Oklahoma with a degree in information systems management, the native Oklahoman earned his MBA from Oklahoma Christian University. Outside of work, he enjoys running, climbing and spending time with his wife and their three children.

Just 2 Steps to Being More Productive

You Are 2 Steps Away From Being More Productive

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

You Are 2 Steps Away From Being More Productive

Productivity often is touted as the Holy Grail of today’s workforce. Countless books and apps are packed to the brim with tips promising to make you more efficient, while today’s managers scour for — and promote — candidates with past episodes of grand productivity.

You would think that with such pushes, a steady increase in individual and workplace productivity would exist. You would be wrong.

The Myth of Productivity

In a recent Bureau of Labor Statistics report, the productivity change between 2007 and 2016 in the nonfarm U.S. business sector increased 1.1 percent, an all-time low since the 1940s. Scholars give a myriad of reasons for this dip, ranging from a decrease in innovation to repercussions from the Great Recession; however, this stark stat likely makes even the most motivated worker feel defeated

But the thing about leaders is they have something others lack: foresight. Leaders see the bigger picture. They believe that their actions actually matter, and in fact, that those actions can inspire others.

You can’t control the changes that come with working in a knowledge economy, but you can control what you do each day. Below are two proactive ways to incite productivity in your daily life.

  1. Prioritize Time

Think back to a time when you felt like you were crushing it.

Perhaps you were working on a report or managing a team, and you were completely engrossed in your task. Now think through your typical day: Likely, there are moments of productivity … and then you get a text or an email or a meeting request, perhaps all at the same time. Information is everywhere; it clouds our lives. A 2015 Deloitte study noted that in a single day, people exchange more than 100 billion emails, yet only one in seven of those emails could be qualified as extremely important.

Although technology has made space for innovation and ease, it also has been a metaphorical shock to the U.S. workforce’s system. Indeed, many experts who study time management have changed the ubiquitous phrase of “multitasking” to the more apt “rapid toggling” to communicate the futile effort of doing multiple things at once, even when technology promises we can.

Studies have shown that if you want to do deep work that puts you in a state of flow and ahead of your competitors, then you must prioritize uninterrupted, focused time. In fact, a recent article in Harvard Business Review outlined the importance of restorative silence for busy individuals: “Recent studies are showing that taking time for silence restores the nervous system, helps sustain energy and conditions our minds to be more adaptive and responsive to the complex environments in which so many of us now live, work and lead.”

You may ask (while frantically scanning your bursting inbox), “How do I do this?”

Start by identifying a time during your day when your presence isn’t really required. Perhaps you need to attend that recurring weekly meeting only every other week, or maybe you can send an employee in your stead. Assess your daily rituals — maybe that morning stroll around the office where you chat with everyone could happen later in the afternoon so your mornings are free from distraction. Is your office door always open? See what happens if you shut it for 30 minutes. Chances are no one will notice that time you’ve stolen away for yourself, and you’ll have space to focus on what really matters.

  1. Prioritize Values

There is a reason that successful companies put such stock in their values and vision: Clarity makes space for progress. In 2015, General Electric executive took time to verbalize the company’s values, after feeling the business was becoming too complex. Known as “the GE Beliefs,” those values acted as a road map for them to plot out and execute their top priorities.

A Deloitte University Press article noted, “The GE Beliefs play a large role in leadership development and are also used to change how GE recruits, how it manages and leads and how its people are evaluated and developed.”

GE is just one example of many companies putting emphasis on clearly articulating core values in order to spur output. And if successful companies are doing so, why wouldn’t you?

According to Inc. 500 entrepreneur Kevin Daum, “Much like company core values, your personal core values are there to guide behavior and choice.”

How do you craft a list of personal values? Glance over your job description, reassess your passions and future goals, and then put pen to paper. The list of values doesn’t have to be long, but it must be clear. To spur ideas, look at examples from companies like Zappos and Facebook.

Once you have your values nailed down, certain tasks that have been consuming your time likely will lose their urgency. For example, if innovation is part of your purpose, but the last time you researched new advances in your field was six months ago, then it’s time to reassess either your values or how you’re spending your time.

Productivity can be tricky to quantify, but creating a conducive environment is a great place to start. Making crucial space and aligning your daily tasks to your vision are two steps in the right direction.

Tags: , , , , ,
Posted in Blog, Featured, Leadership, Talent Management


Author Bio: Oden-Hall is an award-winning public relations, communications and marketing professional with over 20 years experience driving corporate strategy for Fortune 500 companies. Her Oklahoma roots and passion coupled with her global experience and creative flair have helped her drive numerous successful strategic initiatives. She joined the Paycom team as Chief Marketing Officer in April of 2012.

What do Millennials and Today’s CEOs Have In Common?

What Do Millennials and Today’s CEOs Have In Common?

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

What Do Millennials and Today’s CEOs Have In Common?

HR industry experts have devoted a lot of time and research into demystifying millennial employees, only to discover that this younger generation has more in common with mature, seasoned employees than once thought.

This is especially true when it comes to the desire for day-one productivity. The C-suite values new hires who can become contributors faster; millennial employees, who were born between 1981 and 2000, crave the opportunity to do just that.

So, the goal they share is desire to be immediately productive – to be a valued contributor as soon as they walk through the front door.

Getting an early start

Growing up when technological advances made instant gratification a way of life, millennials have come to expect it in almost every aspect of their lives, including work. Young employees want to feel purposeful in their jobs, and nothing meets that need quite like getting the chance to work on the first day, instead of filling out form after form and memorizing the alarm code.

One way to get there is by designing an onboarding process that gives new hires the ability to complete onboarding tasks efficiently, either on or before day one. Consider incorporating the following strategies into your plan:

  • “Preboard” new hires.

    Allow them to complete new-hire paperwork and train electronically, via an employee self-service portal. They can get the groundwork done before they even start in order to hit the ground running on their first day.

  • Assign goals and expand training.

    According to Gallup, half of employees don’t understand what’s expected of them at work. To prevent this type of uncertainty from affecting a new hire’s productivity, include training on his or her individual role, and what his or her job looks like when done well.

  • Introduce your culture.

    Understanding what your company values can help new hires feel confident about making smart decisions. Not only can this boost early productivity, but it can help build long-term engagement, too.

Just a few tweaks to the traditional onboarding process can help new hires devote more time and attention to the activities that will help them become a valued contributor sooner than later. And that’s something both your C-suite and millennial new hires will love.

Tags: , , , , ,
Posted in Blog, Employee Engagement, Featured, Leadership, Pre-Employment, Talent Management


Author Bio: Oden-Hall is an award-winning public relations, communications and marketing professional with over 20 years experience driving corporate strategy for Fortune 500 companies. Her Oklahoma roots and passion coupled with her global experience and creative flair have helped her drive numerous successful strategic initiatives. She joined the Paycom team as Chief Marketing Officer in April of 2012.

Oregon State Retirement Plan

Oregon Creates Landmark State Retirement Plan

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

Oregon Creates Landmark State Retirement Plan

This year, the state of Oregon will launch a landmark, statewide retirement program: OregonSaves. This program requires private employers to automatically enroll employees in retirement accounts. The goal is to benefit almost 1 million Oregonians who currently lack access to employer-sponsored retirement programs.

OregonSaves has been in the works for the last few years and will officially kick off in July 2017 with a volunteer pilot phase. Full program implementation is scheduled to begin in November 2017, starting with employers who have 100 or more employees.

What This Means for Oregon Employers

Employers that do not offer retirement plans are required to inform employees about the program and automatically enroll them. Additionally, they will have to:

  • Provide employee data to the state to allow the state to set up accounts for the employee.
  • Setup payroll deductions for employees participating in OregonSaves.
  • Track employee decisions as to contribution levels or to opt out.

Employers who already provide retirement options do not have to offer OregonSaves. Those employers will complete a simple certification process.

What’s Next?

Oregon is the first state to offer a program of this nature. California and Illinois likely will launch similar programs by 2019. It is important to note, however, that there are currently bills pending in the federal legislature to overturn rules that make it easier for states to create such plans. If these bills pass, state programs could be stalled. Oregon does plan to move forward with its retirement plan regardless of how the legislature acts, so employers should be prepared. Paycom’s Benefits Administration Suite can help employers accurately track the data they will be required to transmit to OregonSaves.

Tags: , , , , , , ,
Posted in Blog, Compliance, Employment Law, Featured

Alyssa Looney

by Alyssa Looney


Author Bio: As a compliance attorney for Paycom, Alyssa Looney monitors laws, rules and regulations to ensure that the Paycom software is up to date, specifically regarding immigration law and state law developments in the Western United States. She holds a JD and an MBA from Pennsylvania State University, as well as a bachelor’s degree from Texas A&M University. Outside of work, Alyssa enjoys cooking, being active, playing with her puppy and exploring Oklahoma City.

Subscribe to Paycom's blog
X

Learn more about Paycom

  • Are you a current Paycom Client?

    Yes

    No

    • Talent Acquisition

    • Time & Labor Management

    • Payroll

    • Talent Management

    • HR Management

  • Subscribe me to Paycom's newsletter.

*Required

We promise never to sell, rent or share your personal information with a third party unless required by law. By submitting this form, you accept our Terms of Use and Privacy Policy.