Share these insights


Heads up: In recent months, a number of federal agencies — including the FBI and IRS — are warning employers about new scams targeting employees’ direct deposit, W-2 and I-9 information. And these scams have wreaked havoc on scores of companies.

Here are three of the most problematic scams you need to be aware of:

  1. Direct deposit information

The most recent warning for employers came from the FBI. It involves a phishing scam in which cybercriminals attempt to get employees to unwittingly provide the scammer access to the company’s self-service payroll platform.

In the version of the scam businesses will be most interested in, a person pretending to be from the company’s HR department send an email asking an employee to click on a link provided in the email and log into their self-service account.

The scammer will claim the employee must do this in order to:

  • view a confidential email from HR
  • view changes to the employee’s account, or
  • confirm that the account should not be deleted.


However, when the employee clicks on the link and enters the requested info, they’re actually providing info on their W-2 and paystub info. The scammer can then change the employee’s direct deposit instructions, and prevent detection by changing the email address used to notify the employee such changes were made.

Scammers may also change an employee’s passwords or other necessary credentials to keep the fraud from being discovered for as long as possible. In many cases, employers aren’t aware of anything until they hear from workers that their wages aren’t being deposited.

To prevent falling victim to this scam, the FBI is warning employers to:

  • Train employees to watch for phishing attacks and suspicious malware links. Checking the actual e-mail address rather than just looking at the display name can be crucial to spotting the attack early.
  • HR self-service platforms should have two-factor authentication. For example, users can be required to enter a second password that is e-mailed to them or a hard token code.
  • Set up alerts on self-service platforms for administrators so that unusual activity may be caught before money is lost. Alerts may be triggered for when banking information is changed to online bank accounts typically used by fraudsters.
  • Set a time delay between when direct deposit information is changed in the self-service portal and the actual deposit of funds into the new account to decrease the chance of the theft of funds.


  1. Growing W-2 scam

The IRS also recently warned employers about a W-2 scam that impacted “hundreds of organizations and thousands of employees last year.”

Reports of a Form W-2 scam skyrocketed last year (900 reports in 2017 compared to a little over 100 in 2016), and cybercriminals have easily been able to trick scores of payroll pros – and other staffers with access to payroll info – into disclosing sensitive info about the entire workforce.

In general, the scam involves an email appearing to come from a company exec, asking payroll pros for a list of employees and their W-2s.

With its warnings, the IRS is hoping to prevent another record year for scammers.


  1. A convincing I-9 request

Finally, if you get a very convincing email from the U.S. Citizenship and Immigration Services (USCIS) agency about info on your employees’ I-9s, don’t follow the instructions.

The I-9 info request is yet another in a series of sophisticated scams targeting employers. And the scam appears to working.

Employers aren’t required to submit Forms I-9 to the USCIS, so such a request may raise some red flags for some folks. But the request is tripping up employers because the emails look very authentic. In fact, the emails actually come from a address. Plus, they even contain labels from both USCIS and the Office of Inspector General.

As if that’s not enough to fool some time-strapped HR pros, many of the emails also contain other details designed to make the messages appear legitimate — like your company’s mailing address.

The USCIS, however, has made it abundantly clear it’s not sending any emails to employers about their I-9s. It’s also warning firms not to click on any links in the email or respond to the sender.

Employers may also be tripped up because the feds recently announced they are ramping up I-9 audits, and firms want to respond as quickly as possible to any I-9-related requests. Again, the USCIS won’t email about an I-9 audit.