Home » Our Blog » It’s That Time of Year Again: Tax Phishing Season
back to the top
Phishing Season

It’s That Time of Year Again: Tax Phishing Season

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

It’s That Time of Year Again: Tax Phishing Season

With tax season upon us, so are security concerns. Con artists – or “malicious actors” as they’re known in information technology (IT) circles – understand that people may be more susceptible to a well-crafted phishing email during tax-filing and refund time. For example, you would most likely be suspicious of an email about your W-2 form, or a request to complete an attached tax form arrived in July, October or December. But what if the same email landed in your inbox during February, March or April?

Most phishing emails should be easy to identify; telltale signs are poor grammar and punctuation or odd capitalization. However, some attempts will be more sophisticated. Since loose clicks sink ships, here are some examples of active phishing campaigns and some phishing best practices.

The Data-Harvesting Attack

The malicious actor will pose as a potential client, asking for tax preparation assistance. The exchange seems innocuous, but the malicious actor will set up a situation in which the victim lets down his or her guard and opens an attachment at some point during subsequent emails. This attachment exploits a vulnerability, harvesting contact information, which the attacker then uses to impersonate you and claim your tax refund.

The Log-In Request Attack

As a variation of this attack, you could be tricked into clicking a link or opening an attachment that requests that you log-in in with your email account credentials. Again, this scam exposes contact information, opening yourself up to phishing attacks.

The W-2 CEO Fraud Scam

The W-2 CEO Fraud scam is yet another phishing attack that targets innocent people by impersonating the CEO, President or other authority figure in the company. The newest variation of this email attack requests 2016 1040-EZ Form for all employees for accounting purposes and emphasizes urgency. This type of attack is extremely targeted because the malicious actor often knows who has access to the requested information and who most likely would be the employee making such a hasty request. This form of attack rarely has a formal signature, just a simple “thanks,” followed by the sender’s first name and a “Sent from my iPhone” tag. The attacker tries to make the email feel friendly, while also using authority and urgency to motivate the recipient.

Remember that sensitive information never should be transmitted over email. Legitimate institutions understand that email is not secure, and it should not be treated as such in regards to the exchange of sensitive financial and tax information. Paycom has secure ways to upload highly sensitive documents that are entirely independent of email. Anyone who tries to circumvent secure transmitting procedures – intentionally or not – should be instructed on how to share data securely. Any phishing incidents and attempts also should be shared with your information technology security team.

The IRS/Tax Commissioner Scam

For instance, a malicious actor will impersonate the IRS/Tax Commissioner, requesting you to fill out an attached form. The new form request is “due to a system upgrade.” The form name or number might even be a legitimate, though unfamiliar, IRS form, like the W-8BEN-E Form.

However, the fake form will have sections that not only request expected sensitive information, but also extensive bank account information such as:

  • Your bank’s branch address
  • Account officer’s name and email
  • Date account was opened
  • Date and amount of last deposit

This specific information allows the malicious actor to drain your bank accounts, in addition to claiming your tax refunds. Please note that legitimate sources will never need or request this level of account detail in order to file your taxes electronically and to complete a direct deposit.

In more personalized attacks, the malicious actor has figured out and will impersonate who prepares or handles your tax information. Similar to above, the attacker will ask you to fill out a form that may or may not include your banking information. Keep in mind that a malicious actor only needs basic tax information to steal your tax refund.

General Phishing Best Practices:

  1. Never send sensitive information through email.
  2. Be wary of unexpected email links, unexpected attachments and emails that stress urgency or that use fear as a motivator.
  3. Do not verify a suspicious email with an email reply.
  4. Call the sender using contact information you already have. If you don’t have contact information, independently search for the website–do not click any links.
  5. Financial institutions always send personalized emails that are addressed to you, in addition to having the last four digits of your account number. If these things are missing, be suspicious.
  6. Check the hyperlinks in all emails before clicking them by hovering over the link. Alternatively, use a bookmark that you’ve previously saved, use a Google search, or type the address manually.
  7. When looking for the URL domain name, start from the right, not the left.
    • Example: If read from left to right,http://www.paypal.com-verify-transactionid-84937213938021.login.ebay-buyprotection<dot>net/ this link appears to belong to PayPal. However, the address is actually ebay-buyprotection<dot>net, not PayPal.com.
  8. If you suspect you have been phished, contact your IT department or IT security team immediately. If you suspect that you are a phishing target, forward the email to spam@uce.gov, the impersonated institution, and your IT department.
  9. Check for the HTTPS and a closed padlock icon in the address bar anytime you are enter confidential information into an online application. This ensures the security of information entered and indicates a legitimate and registered website.

 

Remember: legitimate sources, clients, colleagues, bosses, etc., should never:

  • request sensitive information in an email signed with a “Sent from my iPhone” tag
  • send forms through email
  • send generic, impersonalized email (emails that do not address you by name)
  • ask for personal or financial information through email
  • request banking information in paper/electronic document forms
  • resort to threatening or intimidating language to click links in email
  • send emails with poor grammar or awkward language; always check grammar and language usage

Lastly, be suspicious of any email that requests highly sensitive information, or use email addresses that are not from the company’s domain. Check the sender’s email address. It might say it’s someone from your contacts list or a legitimate institution, but it is surprisingly easy to spoof the name associated with an email.


Paul Baresel

by Paul Baresel


Author Bio: With expertise in compliance, data leak prevention and enterprise e-discovery, Paul Baresel brings more than 13 years’ experience in cybersecurity to his role as Paycom’s Information Technology Security Manager. He previously served in similar roles at American Energy Partners, Farmers Insurance and Chesapeake Energy. After graduating from the University of Central Oklahoma with a degree in information systems management, the native Oklahoman earned his MBA from Oklahoma Christian University. Outside of work, he enjoys running, climbing and spending time with his wife and their three children.

Best Practices for Communicating Anti-Harassment Policy to a Diverse Workforce

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

With the current cultural emphasis on preventing workplace harassment, many employers are revising and updating their anti-harassment policies. But no matter how good your policy is, it is valuable only to the extent that you communicate it to your employees and provide them with the necessary training and resources to implement it.

In 2016, the U.S. Equal Employment Opportunity Commission issued a report about harassment in the workplace. It concluded that while training was an important part of any anti-harassment policy, such training “cannot stand alone but rather must be part of a holistic effort undertaken by the employer to prevent harassment.”

Beyond training sessions, the most effective means of communicating your anti-harassment policy to employees is to demonstrate values and behaviors that embody the principles of said policy. This helps foster a culture of inclusion and respect by modeling what is tolerated and what is not.

What training should – and shouldn’t – be

  • Company trainings remain vital, and should be interactive and frequent.
  • Executives and those in supervisory positions should have their own training sessions separately, both to avoid chilling discussion, as well as to emphasize management’s unique role in enforcing company policies and modeling appropriate behavior.
  • Tailor your training to discuss the behaviors you want to promote, as well as those you want to discourage, even if the latter may not rise to the legal definition of harassment. Avoid freighting these sessions with a large amount of information irrelevant to your workplace or industry; use examples that address everyday situations your employees face in your particular line of business and workplace environment.
  • Make training materials easy to understand. Provide them in each language commonly spoken by members of your workforce, and use everyday wording rather than excessive legalistic jargon.

Finally, keep in mind that limitations may exist under the National Labor Relations Act on company policies mandating civility, so consult with an attorney to help draft a policy that promotes the behavior you wish to see, while not infringing on employees’ right to collective action.

For more information about communicating to different types of employees, check out How to Use Personality Assessment Tests to Improve Workplace Culture and Communication. When we understand how co-workers and managers prefer to communicate, the workplace becomes a more productive, comfortable environment.

Disclaimer: This blog includes general information about legal issues and developments in the law. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and must not be taken, as legal advice on any particular set of facts or circumstances. You need to contact a lawyer licensed in your jurisdiction for advice on specific legal problems.

Tags: ,
Posted in Blog, Featured

Erin Maxwell

by Erin Maxwell


Author Bio: As a compliance attorney for Paycom, Erin Maxwell monitors legal and regulatory changes at the state and federal level, focusing on health and employee benefits laws, to ensure the Paycom system is updated accordingly. She previously served as assistant general counsel at Asset Servicing Group in Oklahoma City. She holds a bachelor’s degree from the University of Central Oklahoma and a J.D. from the University of Oklahoma. Outside of work, Maxwell enjoys politics, historical mysteries and spending time with her family.

Sexual Harassment Policy

3 Answers to Questions About Sexual Harassment Policy

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

In October 2017, in light of the #MeToo movement, the HR Break Room podcast devoted an episode to workplace sexual harassment policies. Since that conversation, we continued to receive questions on the subject, not only from our listeners, but Paycom blog readers and webinar attendees.

To answer those questions and examine the topic further, HR Break Room assembled a panel of leaders from Paycom’s legal and HR departments for a follow-up episode: Matthew Paque, vice president of legal and compliance; Tiffany Gamblin, HR manager; and Jason Hines, compliance attorney.

That episode, “Experts Answer: Your Sexual Harassment Policy Questions,” tackles 10 such inquiries. Here are takeaways from three of them.

When it comes to taking action on a complaint of sexual harassment, how can HR protect the company and the reporting individual?

It is the duty of HR to write a policy that protects both. Equally important is documenting that policy and consistently applying it to each report; deviations should not exist. This approach gives employees the assurance that, if sexual harassment claims are brought to light, a procedure and a mechanism are in place to handle these unfortunate scenarios.

Once you have a documented process, it is critical to communicate that procedure to employees year-round so they know how to utilize it. Are they supposed to report to a specific HR contact? Do you have a help line they can call? Is a website easily accessible detailing the steps?

How can you ensure an anonymous report is not just someone griping about another employee and is unrelated to harassment?

If your investigative process is unbiased, fair and consistent, it should be able to determine whether a complaint is fraudulent. False claims aren’t common, and your process should be prepared to weed them out. Make sure all investigation details have been reviewed thoroughly before making a decision, including whether to pursue a new direction.

For a sound investigation, never assume any claim to be frivolous; do your due diligence. In case a claim is found to be untrue, you may want to prepare a disciplinary action for the employee who made the false accusation.

How should an organization handle a harassment claim that involves people outside the company?

Listen to the panel discuss anonymous helplines and how to implement them within your organization, in the HR Break Room episode Experts Answer: Your Sexual Harassment Policy Questions.

The best practice for tackling such reports is to treat them as you would any other complaint. It may get tricky if the accused is a client or customer of your business, but strategies do exist. For one, you can report the occurrence to the client’s HR manager, and allow that entity to investigate on your behalf.

It’s also important to ensure an environment that separates the harasser from your employee, because when interaction between the two parties stops, the chances of another incident are greatly minimized. If your client is unwilling to discipline the harasser under its employ, you may wish to consider termination of your business relationship.

Regardless, your employee’s safety comes first. You do not want to give him or her the perception that your sexual harassment policy does not apply to high-paying clients. If your employee perceives he or she is being forced to deal with inappropriate behavior from a customer, that can threaten your organization’s culture and reputation. Your policy should reassure employees they will be safe and that the organization will take steps to remedy complaints.

 Listen to the panel discuss seven more listener questions on sexual harassment policy, in the HR Break Room episode Experts Answer: Your Sexual Harassment Policy Questions.

Tags: ,
Posted in Blog, Featured

caleb.masters

by Caleb Masters


Author Bio: Caleb is the host of The HR Break Room and a Webinar and Podcast Producer at Paycom. With more than 5 years of experience as a published online writer and content producer, Caleb has produced dozens of podcasts and videos for multiple industries both local and online. Caleb continues to assist organizations creatively communicate their ideas and messages through researched talks, blog posts and new media. Outside of work, Caleb enjoys running, discussing movies and trying new local restaurants.

Charge of discrimination

What to Do When a Charge of Discrimination Is Made

Share on Facebook Share on Twitter Share on LinkedIn Share on Google Plus Share through email Print it More share options

According to the Equal Employment Opportunity Commission (EEOC), more than 84,000 workplace discrimination charges were filed in 2017. Because these charges can escalate into costly lawsuits, employers must understand what to do if charges are made against them to avoid unnecessary mistakes that could cost time and money. Here is a look at what happens – and what to do – when a charge of discrimination is made against your organization.

Employer notice

When a charge is filed against your organization, the EEOC will generally notify you within 10 days. The notification will typically include the name and contact information for the investigator assigned to the case, steps to take if you are interested in mediating the charge (see discussion below) as well as a URL for you to log into the EEOC’s Respondent Portal to view and download the charge. This portal also is used to upload your organization’s position statement and responses to any requests for information during the investigation process.

The investigation process

The EEOC generally has a broad scope of authority in conducting investigations of alleged or suspected discriminatory conduct. During this process, your organization will be asked to provide certain information, which may include:

  • Position statement – This is your organization’s statement of its position in regard to the charges. In other words, it is your opportunity to tell your side of the story. Your organization should take advantage of this opportunity and include applicable policies and references to any issues and documents that would render the charges invalid.
  • Responses to Requests for Information (RFI) – These requests may be for copies of personnel policies, personnel files and other relevant information. Failure to respond may result in an administrative subpoena issued and served to your organization.
  • Employee contact information for witness interviews – The employer has the right to have a representative attend interviews of management personnel but the EEOC can generally interview non-management employees outside the employer’s presence.

If you have information that would show that the allegations are false or that your organization did not violate the law, provide this information to the investigator. You may also be asked to permit an on-site visit by the investigator.

After the investigation

Once its investigation is complete, the EEOC will make a determination on the merits of the charge(s). Most often, it will choose not to file a lawsuit and instead issue either a Dismissal and Notice of Rights or a Letter of Determination.

The Dismissal and Notice of Rights indicates its investigation was unable to conclude that the information obtained established unlawful discrimination; however, the employee who made the complaint is free to file a lawsuit in court.

If the EEOC determines discrimination may have occurred, it will send a Letter of Determination and attempt to have the parties settle the matter outside of court. If the parties do not reach a settlement agreement, the EEOC will send the employee a Right to Sue letter, allowing him or her to bring suit in federal court. In rare cases, the EEOC may file a lawsuit on behalf of the employee.

3 Ways to Resolve Charges

In general, three methods exist for successfully resolving charges of discrimination outside of litigation: mediation, settlement and conciliation.

1. Mediation

Mediation is an informal process in which a trained mediator assists the parties to try and reach a negotiated resolution. It generally is initiated before an investigation and is completely voluntary.

This process allows the parties to resolve the matters in dispute in a way that is mutually satisfactory. It is also much faster than the traditional investigation process. The main benefit for mediating is that it allows the parties an opportunity to reach a resolution before incurring the time and expense involved in the traditional investigatory process.

If mediation is successful, the charges filed with the EEOC will be closed. If unsuccessful, the charges will be referred for investigation.

2. Settlement

Settlement of the charges may take place at any time during the investigation. Similar to mediation, settlement is completely voluntary, and the goal is to reach an agreement that satisfies both parties. Settling charges generally occurs with no admission of liability, but if a settlement is reached, those charges are dismissed.

3. Conciliation

The EEOC is required by Title VII to attempt to resolve findings of discrimination through conciliation. However, this process is triggered only after the parties have been notified that, through evidence gathered in the investigation, there was reasonable cause to believe that discrimination occurred. This process is intended to help the employer and the EEOC negotiate how the employer can change its policies and practices to comply with the laws, and also to determine any amount of damages the employer should pay to the employee.

In some instances, the employer can be at a disadvantage during this process because it may not be entirely aware of the evidentiary basis for the EEOC’s determination that discrimination has occurred. Unlike in litigation, there are no disclosure obligations.

If the conciliation process fails, the EEOC then decides whether to sue the employer in court.

Your organization should not ignore or fail to respond to charges of discrimination. Employers often conduct their own investigation to determine the claim’s merits. In many cases, employers opt to resolve charges early in the process through mediation or settlement to avoid costly litigation. However, you may choose not to engage in these types of voluntary resolutions if you feel the claims have no merit.

To learn more about preventing workplace discrimination, see our related blog posts on “Diversity Training in the Workplace: Helping Managers Understand ‘Cultural Fit’” and “2 Questions You Never Should Ask a Job Candidate … and What You Should Ask Instead.”

Disclaimer: This blog includes general information about legal issues and developments in the law. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and must not be taken, as legal advice on any particular set of facts or circumstances. You need to contact a lawyer licensed in your jurisdiction for advice on specific legal problems.

Posted in Blog, Featured

Kristin Birchell

by Kristin Birchell


Author Bio: As a compliance attorney for Paycom, Kristin Birchell monitors legal and regulatory changes at the state and federal level, with a focus on labor and employment laws, to ensure the Paycom system is updated accordingly. Previously, she served as an attorney at the Oklahoma City law firm Derryberry & Naifeh LLP. Birchell earned a bachelor’s degree and MBA from the University of Central Missouri, and her Juris Doctor from the Oklahoma City University School of Law. Outside of work, she enjoys cooking, hiking, going to the movies and spending time with her husband.

You might want to know our privacy policy has changed. View Policy

Okay, got it!
X

Contact Us

  • Are you a current Paycom Client?

    Yes

    No

    • Talent Acquisition

    • Time & Labor Management

    • Payroll

    • Talent Management

    • HR Management

  • Subscribe me to Paycom's newsletter.

*Required

We promise never to sell, rent or share your personal information with a third party unless required by law. By submitting this form, you accept our Terms of Use and Privacy Policy.