Home » Our Blog » It’s That Time of Year Again: Tax Phishing Season
back to the top
Phishing Season

It’s That Time of Year Again: Tax Phishing Season

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

It’s That Time of Year Again: Tax Phishing Season

With tax season upon us, so are security concerns. Con artists – or “malicious actors” as they’re known in information technology (IT) circles – understand that people may be more susceptible to a well-crafted phishing email during tax-filing and refund time. For example, you would most likely be suspicious of an email about your W-2 form, or a request to complete an attached tax form arrived in July, October or December. But what if the same email landed in your inbox during February, March or April?

Most phishing emails should be easy to identify; telltale signs are poor grammar and punctuation or odd capitalization. However, some attempts will be more sophisticated. Since loose clicks sink ships, here are some examples of active phishing campaigns and some phishing best practices.

The Data-Harvesting Attack

The malicious actor will pose as a potential client, asking for tax preparation assistance. The exchange seems innocuous, but the malicious actor will set up a situation in which the victim lets down his or her guard and opens an attachment at some point during subsequent emails. This attachment exploits a vulnerability, harvesting contact information, which the attacker then uses to impersonate you and claim your tax refund.

The Log-In Request Attack

As a variation of this attack, you could be tricked into clicking a link or opening an attachment that requests that you log-in in with your email account credentials. Again, this scam exposes contact information, opening yourself up to phishing attacks.

The W-2 CEO Fraud Scam

The W-2 CEO Fraud scam is yet another phishing attack that targets innocent people by impersonating the CEO, President or other authority figure in the company. The newest variation of this email attack requests 2016 1040-EZ Form for all employees for accounting purposes and emphasizes urgency. This type of attack is extremely targeted because the malicious actor often knows who has access to the requested information and who most likely would be the employee making such a hasty request. This form of attack rarely has a formal signature, just a simple “thanks,” followed by the sender’s first name and a “Sent from my iPhone” tag. The attacker tries to make the email feel friendly, while also using authority and urgency to motivate the recipient.

Remember that sensitive information never should be transmitted over email. Legitimate institutions understand that email is not secure, and it should not be treated as such in regards to the exchange of sensitive financial and tax information. Paycom has secure ways to upload highly sensitive documents that are entirely independent of email. Anyone who tries to circumvent secure transmitting procedures – intentionally or not – should be instructed on how to share data securely. Any phishing incidents and attempts also should be shared with your information technology security team.

The IRS/Tax Commissioner Scam

For instance, a malicious actor will impersonate the IRS/Tax Commissioner, requesting you to fill out an attached form. The new form request is “due to a system upgrade.” The form name or number might even be a legitimate, though unfamiliar, IRS form, like the W-8BEN-E Form.

However, the fake form will have sections that not only request expected sensitive information, but also extensive bank account information such as:

  • Your bank’s branch address
  • Account officer’s name and email
  • Date account was opened
  • Date and amount of last deposit

This specific information allows the malicious actor to drain your bank accounts, in addition to claiming your tax refunds. Please note that legitimate sources will never need or request this level of account detail in order to file your taxes electronically and to complete a direct deposit.

In more personalized attacks, the malicious actor has figured out and will impersonate who prepares or handles your tax information. Similar to above, the attacker will ask you to fill out a form that may or may not include your banking information. Keep in mind that a malicious actor only needs basic tax information to steal your tax refund.

General Phishing Best Practices:

  1. Never send sensitive information through email.
  2. Be wary of unexpected email links, unexpected attachments and emails that stress urgency or that use fear as a motivator.
  3. Do not verify a suspicious email with an email reply.
  4. Call the sender using contact information you already have. If you don’t have contact information, independently search for the website–do not click any links.
  5. Financial institutions always send personalized emails that are addressed to you, in addition to having the last four digits of your account number. If these things are missing, be suspicious.
  6. Check the hyperlinks in all emails before clicking them by hovering over the link. Alternatively, use a bookmark that you’ve previously saved, use a Google search, or type the address manually.
  7. When looking for the URL domain name, start from the right, not the left.
    • Example: If read from left to right,http://www.paypal.com-verify-transactionid-84937213938021.login.ebay-buyprotection<dot>net/ this link appears to belong to PayPal. However, the address is actually ebay-buyprotection<dot>net, not PayPal.com.
  8. If you suspect you have been phished, contact your IT department or IT security team immediately. If you suspect that you are a phishing target, forward the email to spam@uce.gov, the impersonated institution, and your IT department.
  9. Check for the HTTPS and a closed padlock icon in the address bar anytime you are enter confidential information into an online application. This ensures the security of information entered and indicates a legitimate and registered website.

 

Remember: legitimate sources, clients, colleagues, bosses, etc., should never:

  • request sensitive information in an email signed with a “Sent from my iPhone” tag
  • send forms through email
  • send generic, impersonalized email (emails that do not address you by name)
  • ask for personal or financial information through email
  • request banking information in paper/electronic document forms
  • resort to threatening or intimidating language to click links in email
  • send emails with poor grammar or awkward language; always check grammar and language usage

Lastly, be suspicious of any email that requests highly sensitive information, or use email addresses that are not from the company’s domain. Check the sender’s email address. It might say it’s someone from your contacts list or a legitimate institution, but it is surprisingly easy to spoof the name associated with an email.


Paul Baresel

by Paul Baresel


Author Bio: With expertise in compliance, data leak prevention and enterprise e-discovery, Paul Baresel brings more than 13 years’ experience in cybersecurity to his role as Paycom’s Information Technology Security Manager. He previously served in similar roles at American Energy Partners, Farmers Insurance and Chesapeake Energy. After graduating from the University of Central Oklahoma with a degree in information systems management, the native Oklahoman earned his MBA from Oklahoma Christian University. Outside of work, he enjoys running, climbing and spending time with his wife and their three children.

Death of an employee

Staying Compliant After the Death of an Employee

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

When an employee passes away, you need time to process your emotions. But as an HR professional, there are also timely actions you should take to help your workforce grieve, and a few things you’ll need to address to remain compliant. While the death of an employee is never easy, it’s important to ensure any compliance matters are handled consistently with your current policies but with added grace.

Initial Steps

Although your employee wasn’t actually terminated, it’s still a best practice to follow your existing termination checklist. The checklist will help you determine what security access the deceased had so you can disable or redirect it. It will also help with remembering what keys and technology (like a laptop or cellphone) the employee may have had. Be respectful of the employee’s family and ask for these items in as sensitive a manner as you can. You may work with your internal IT department to secure devices remotely, which can protect your sensitive data while you work to connect with the right family member.

In some instances, you’ll also need to obtain a death certificate from the family. This may seem like a uncomfortable request, but you’ll need the certificate before you can proceed with many of the following steps you need to take for the employee.

Paycheck

Check your state laws to make sure you’re following the correct procedure about paying final wages. For example, some states require you to pay out unused vacation. If your state doesn’t have a law, follow your company policy.

You’ll also need to find out who the deceased’s beneficiary is so you will know who should receive his or her final wages. This should be documented either in your HRIS system or on a form in the employee’s personnel or benefit file.  If a paycheck has already been issued, but not cashed, you should reissue the check to the deceased’s beneficiary or estate.

COBRA and Life Insurance

If the employee is covered on the benefit plans, their death is a COBRA-qualifying event. If you sponsor group health plans, you must offer a continuation of group health insurance for up to 36 months to the deceased’s surviving spouse and dependents. The family must be notified about coverage within 30 days of the deceased’s death.

Prepare any relevant information for life insurance claims, if the employee had a policy in effect. They will be dealing with so many decisions that pulling this information together for them before they request it can help give those grieving one less thing to worry about. Employers may also choose to include EAP information or other company sponsored grief resources for eligible family members.

Employee Retirement Income Security Act (ERISA)

The Employee Retirement Income Security Act of 1974 requires that retirement, pension and other plans provide survivor benefits to the surviving spouse of an employee who worked after reaching the earliest possible retirement date under the plan but passed away before retiring. Since this law only pertains to employees who were able to retire but hadn’t yet, you’ll need to refer to your company’s policies to ensure compliance if the deceased was of retirement age. Benefit administrators should contact their plan providers to confirm if there is any additional action required on the deceased employee’s behalf.

To learn more about how your business can start to build procedures for an employee’s death so you can navigate the difficult time as smoothly as possible, visit our blog, “4 Questions to Consider When Handling the Death of an Employee.”

 

Tags: ,
Posted in Blog, Compliance, Employment Law, Featured

Callie Johnson

by Callie Johnson


Author Bio: As a writer for Paycom, Callie Johnson creates content for the company’s various marketing and communications initiatives. Having earned her bachelor’s degrees in journalism from the University of Oklahoma and web design/development from Full Sail University, she has written for companies of all sizes. Outside of the office, she enjoys hand-lettering, going to the movies and spending time with her family and dogs.

Office Relationships

How HR Could Have Helped 3 Complicated On-screen Office Relationships

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

With Valentine’s Day right around the corner, love is in the air and sometimes that romantic air makes its way into the office. Workplace romances may seem like something only seen in film or on TV, but according to Career Builder, 38% of American workers said they have dated a co-worker at least once in their career. That’s over a third of employees, which makes workplace romance an item every organization should have on its radar.

To better understand how HR can prepare and handle potentially tricky conversations, let’s take a look at three complicated workplace romances from film or television – and how HR could have helped.

Subscribe to HR Break Room to hear more about managing office romance.

Mulder and Scully – The X-files

For almost 25 years, special agents Mulder (David Duchovny) and Scully (Gillian Anderson) from The X-Files have been solving supernatural and extraterrestrial cases on television. This pair of government agents work for one of the most well-known organizations in the country, the Federal Bureau of Investigation (FBI). Throughout the series, they slowly become more than just friends or coworkers and have even become romantically involved in the most recent seasons. Each episode features a case that often involves aliens, weird occurrences … and yet another development in Mulder and Scully’s evolving relationship.

How HR can help: The on-again, off-again relationship between Mulder and Scully has left audiences wondering about their status for years. That ambiguity is what makes their relationship unhealthy for the workplace. It’s important for an organization’s policy to hold employees accountable for reporting a romantic relationship with a co-worker. This transparency allows HR to hold a consistent policy that can protect both employees if they break up.

Tom and Summer – 500 Days of Summer

The greeting card industry can be tough, but a brutal breakup in the office can make it even harder! Just ask Tom Hansen (Joseph Gordon Levitt) and Summer Finn (Zooey Deschanel) from the 2009 hit romance film, 500 Days of Summer. The romance that sparked between this on-screen couple turned out to be a bad fit that eventually led to Tom’s depression and complete disengagement from his work. It’s a classic example of how even the most beautiful romances can sometimes go sour.

 How HR can help: It’s important for HR to treat their employees like adults who are allowed to make their own mistakes. It is equally important for managers and supervisors to know about office romances so they can be prepared to handle potential drama.

In this film, Summer is the personal secretary of Tom’s manager, Vance. As the long and painful breakup unfolds, Vance is not clued in on the reason behind Tom’s disengagement, which leads to awkward workplace encounters and poor productivity. By incorporating some form of documentation confirming a workplace relationship into your organization’s policy for managers and team leads, you can foster a culture that equips leaders to better address the impact of those painful breakups.

Lois and Clark – Superman

The iconic comic book couple Lois and Clark have appeared on the screen together many times over the last several decades, but let’s take a look at the 1975 film Superman starring Christopher Reeve and Margot Kidder. Pulitzer Prize-winning reporter Lois Lane works closely with Clark Kent, who (unbeknownst to her) lives a life of fighting criminals. In the workplace, they are coworkers with great chemistry, but Lois’ professional-turned-romantic relationship with Clark’s alter ego, Superman, eventually makes her and the entire Daily Planet a target of his rivals. Clark’s dual identities complicate the root of the problem within the workplace, so that his interest in Lois puts the entire organization at risk.

How HR can help: Krypton’s last son may be great at hiding his identity, but ultimately living a life of two identities endangers people in both. That includes his coworkers Jimmy Olson, Perry White and most importantly, his romantic interest, Lois Lane.

It’s up to The Daily Planet’s HR department to screen their candidates through an applicant tracking system with thorough background checks before making a hiring decision. This can help identify potential red flags or conflicts of interest before a new employee joins the team.

 This Valentine’s Day, take the opportunity to look closer at your existing workplace romantic relationship policies. These stories make for great entertainment – but an effective policy on workplace romance can help you make sure the drama stays on the screen and out of your office.

Tags:
Posted in Blog, Featured, Talent Management

caleb.masters

by Caleb Masters


Author Bio: Caleb is the host of The HR Break Room and a Webinar and Podcast Producer at Paycom. With more than 5 years of experience as a published online writer and content producer, Caleb has produced dozens of podcasts and videos for multiple industries both local and online. Caleb continues to assist organizations creatively communicate their ideas and messages through researched talks, blog posts and new media. Outside of work, Caleb enjoys running, discussing movies and trying new local restaurants.

Understanding the Tax Cuts and Jobs Act

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

With the Tax Cuts and Jobs Act (TCJA) being signed into law by President Donald Trump on Dec. 22, 2017, several changes to individual and business taxation were made. How those changes affect each taxpayer depends on that individual’s specific situation.

Below is a “big-picture” overview of various provisions affecting businesses and individuals, with more focused guidance on how the new law will affect employer withholding of employee income taxes.

 

Changes for individuals

The TCJA affects individual income taxes in a number of ways. While the law maintains the seven income brackets used in tax calculation, it reduces the tax rate for five of the brackets:

Previous Rates 10% 15% 25% 28% 33% 35% 39.6%
New Rates 10% 12% 22% 24% 32% 35% 37%

 

The new law has also changed the withholding rates for supplemental wages. For wages up to $1 million, the current rate is 22%, and for wages over $1 million, the current rate is 37% (previously 25% and 39.6%, respectively).

TCJA has eliminated the personal exemptions for individuals, spouse and dependents. Previously, a married taxpayer filing jointly could claim two exemptions: one for his or her spouse and another for themselves. In that instance, two exemptions of $4,050 each would reduce taxable income by $8,100 total.

While that exemption is gone, the TCJA nearly has doubled the standard deduction. Last year, the standard deduction was $6,350 for single filers and $12,700 for joint filers. For 2018, these levels increased to $12,000 for single and $24,000 for joint filers.

The TCJA makes several other specific changes to individual income taxes, including:

  • The individual shared responsibility mandate within the Affordable Care Act (ACA) essentially has been removed, as the penalty for noncompliance will become $0, effective Jan. 1, 2019.
  • Individuals no longer will be able to claim unreimbursed business expenses as itemized deductions.
  • A $10,000 limit has been placed on the deductibility of other taxes (state income tax, property taxes, etc.).
  • Donations to universities for athletic seating privileges are no longer deductible.
  • The child tax credit will double from the previous $1,000 value, up to $2,000 per child.

 

Changes for businesses

Businesses will need to take note of several changes within the TCJA as well. One key change: The corporate tax rate has been reduced from 35% to 21%.

Additionally, a new short term incentive is in place for businesses who offer FMLA paid leave to their employees. Such businesses will receive a credit of 12.5% for every dollar paid for FMLA leave, up to 50% of an employee’s pay, with an additional 0.25% credit for every 1% paid above 50% of an employee’s pay.

Among various reductions or removal of deductible expenses that businesses should note include:

  • transportation fringe benefits
  • limitations for employer-operated eating facilities
  • deduction limitations for pay to highly paid employees and C-level employees
  • limitations to the write-offs for sexual harassment settlements
  • limitations for the deductibility of entertainment expenses

 

All of the above items will need to be discussed with your CPA or tax counsel to determine how they apply to your situation.

 

Frequently asked questions from employers

Some of the most frequent questions we have received since the president’s signing of the law pertain to the withholding tables and Form W-4 questions.

Withholding tables

The IRS released the new 2018 withholding tables on Jan. 11 in Notice 1036, with more detailed guidance released on Jan. 29 in Notice 2018-14 and Publication 15. (These changes already have been implemented in the Paycom system, ahead of the Feb. 15 implementation deadline from the IRS.)

The IRS designed the 2018 withholding tables so that employees’ existing Form W-4 data could continue to be used. Therefore, the IRS does not require employees to complete a new W-4 for 2018.

Extensions to the 2017 Form W-4

The IRS currently is working on a new 2018 Form W-4 that will allow employees to modify their withholding to take full advantage of the changes in the TCJA. The new form’s expected release is after Feb. 15.

As a result, Notice 2018-14 highlights these items relating to the 2017 Form W-4:

  1. Existing 2017 Forms W-4 furnished to claim exemption from withholding for 2017 would be extended to Feb. 28, 2018.
  2. The 2017 Form W-4 may continue to be used temporarily to claim exemption from withholding in 2018.
  3. The agency temporarily has suspended the requirement that employees must furnish new Forms W-4 to employers within 10 days of changes in states that would reduce withholding allowances they may claim.

 

Allowances and exemptions

When discussing the effects of the TCJA, it is important to understand the distinction between “allowances,” as claimed on the W-4 that are used for withholding, and “exemptions” that an individual claims on a year-end tax return.

Historically, these numbers are usually the same. For instance, last year they were $4,050 per allowance in withholding and exemptions in year-end tax returns. The number of allowances claimed on the 2017 Form W-4 were multiplied by $4,050, and an employee’s annual wages were reduced by that product to arrive at taxable wages used in withholding calculations. If the employee claimed exemptions on his or her annual return, the number of exemptions claimed likewise was multiplied by the same $4,050 to reduce taxable income on the Form 1040 year-end return.

While the TCJA has eliminated exemptions for 2018, the allowances (as used in calculation of withholding) have not been eliminated; in fact, they were increased to a value of $4,150 per allowance claimed on the W-4. Thus, for every W-4 allowance claimed, an employee’s gross income will be reduced by $4,150 to arrive at taxable wages for use in the withholding calculation. However, no exemptions will be allowed on the employee’s Form 1040 at year-end; moving forward, it is anticipated the worksheet on the 2018 Form W-4 will not include exemptions in the calculation of withholding allowances.

Voluntary submission of 2018 Form W-4

While submitting a 2018 Form W-4 is not required by the IRS at this time, an employee may elect to do so. Employees should look at the 2018 W-4 once it is released, because of the removal of exemptions from the income tax provisions. Employees should calculate the allowances on the new form to determine if they would benefit by submitting a new Form W-4 to their employer to adjust their withholding.

Until the 2018 Form W-4 is released, an employee may voluntarily choose to submit a copy of the 2017 Form W-4 if he or she wants to adjust their withholding for the period prior to the 2018 form’s release.

The recent tax reform is complex, leaving many items to consider for your employees as they head into 2018. Businesses and employees alike would benefit from consulting tax counsel to help determine the most appropriate next steps for their specific situations.

Tags: , ,
Posted in Blog, Compliance, Featured


Author Bio: Robert Barclay has been the Tax Research Team Lead at Paycom since 2012, and has been instrumental in such company projects as the development of its Affordable Care Act compliance product, implementation of geolocation services and redesign of Form W-2. He joined Paycom in 2011, bringing more than 20 years of experience with the capital markets consulting practices of Ernst & Young in Memphis, Tenn., and Birmingham, Ala.; and Causey Demgen & Moore in Denver, Colo. A native Oklahoman, Barclay is a graduate of Rhodes College in Memphis, where he played football as linebacker.

X

Contact Us

  • Are you a current Paycom Client?

    Yes

    No

    • Talent Acquisition

    • Time & Labor Management

    • Payroll

    • Talent Management

    • HR Management

  • Subscribe me to Paycom's newsletter.

*Required

We promise never to sell, rent or share your personal information with a third party unless required by law. By submitting this form, you accept our Terms of Use and Privacy Policy.