Direct deposit scams mimic HR and go after employees’ tax refunds

Two years’ worth of warning Payroll departments to combat W-2 phishing attempts seems to have paid off.

There’s bad news anyway: Phishers are targeting employees and taxpayers directly. The IRS has issued two alerts regarding the direct deposit of phony tax refunds. Similarly, the FBI has spotted a scam regarding direct deposit of employees’ pay. The headaches, it seems, just won’t go away.

No, that direct deposit email isn’t from HR

The direct deposit pay scam feeds off of employers’ payroll self-service platforms. According to the FBI, the scam targets employees directly by sending them emails pretending to be from HR.

The emails ask employees to click on a link to log into their self-service accounts and often ask them to log in to view a private email from HR, to view changes made to their accounts or to confirm that the account shouldn’t be deleted.

Needless to say, by clicking on the link and entering their self-service credentials, employees are actually giving their logon information to the phisher, who can now go into the self-service account and access their W-2 and pay stub information. The phisher can also change employees’ direct deposit information.

Icing on the cake: In order to prevent employees from catching onto the scam, the phisher changes the email address to which the self-service platform sends alerts when changes are made.

You and employees can take the following steps to protect your self-service platform:

  • Practice good email hygiene. Train employees to watch for phishing attacks and suspicious malware links. Always checking the actual email address, rather than just looking at the display name, can be crucial to early detection of the attack
  • Use two-factor authentication by requiring employees to enter a second password that’s emailed to them or a hard token code
  • Self-service platforms should alert Payroll to unusual activity (e.g., banking information being changed to online banks or alerts on TOR node IP addresses)
  • Set a time delay between when direct deposit information is changed and the next deposit of funds into the new account. Better: confirm changes with employees prior to depositing pay.

It’s not your tax refund

There are two variations on a new tax refund scam making the rounds.

In the first, the thievery begins when phishers break into accountants’ computers and steal clients’ identities. They file fake tax returns in the clients’ names and deposit tax refunds into clients’ real bank accounts.

The scam begins when a woman posing as a debt collection agency employee contacts victims to say their refunds have been deposited in error and asks them to forward the money to her. Exacerbating the problem is that the IRS does use private debt collection agencies to collect back taxes.

In another version of the scam, victims get robo calls with the bot voice saying he’s from the IRS and threatens them with criminal fraud charges, an arrest warrant and “blacklisting” of their Social Security numbers. The voice gives victims a case number and a phone number to call to return their refunds.

The IRS suggests that victims first talk to their bank reps, since bank accounts may need to be closed. Heads up for Payroll: Employees must also alert you when direct deposit linked accounts are closed. You can also reassure employees that SSNs aren’t ever “blacklisted.”

Remember, the tax refunds are phony, but it’s real money, which quite reasonably, the IRS wants back. If phony refunds were directly deposited, victims should contact their bank’s Automated Clearing House department and have it return the refund to the IRS. Victims should also call the IRS toll-free at (800) 829-1040 to explain why the direct deposit is being returned.

If the phony refund was by check that hasn’t been cashed, victims should write “Void” in the endorsement section on the back of the check. Don’t: staple, bend or paper clip the check. Do: Include a note stating, “Return of erroneous refund check because .”

If checks were cashed, victims can get copies of the checks from their banks. They must then write checks back to the U.S. Treasury. Write on the check: “Payment of Erroneous Refund,” the tax period for which the refunds were issued (i.e., 2017), their Social Security numbers and a brief explanation of the reason why the refund is being returned.

Here are the IRS’ mailing addresses, based on the city. These cities are located on the refund check’s bottom text line in front of the words TAX REFUND:

  • ANDOVER – Internal Revenue Service, 310 Lowell Street, Andover MA 01810
  • ATLANTA – Internal Revenue Service, 4800 Buford Highway, Chamblee GA 30341
  • AUSTIN – Internal Revenue Service, 3651 South Interregional Highway 35, Austin TX 78741
  • BRKHAVN – Internal Revenue Service, 5000 Corporate Ct., Holtsville NY 11742
  • CNCNATI – Internal Revenue Service, 201 West Rivercenter Blvd., Covington KY 41011
  • FRESNO – Internal Revenue Service, 5045 East Butler Avenue, Fresno CA 93727
  • KANS CY – Internal Revenue Service, 333 W. Pershing Road, Kansas City MO 64108-4302
  • MEMPHIS – Internal Revenue Service, 5333 Getwell Road, Memphis TN 38118
  • OGDEN – Internal Revenue Service, 1973 Rulon White Blvd., Ogden UT 84201
  • PHILA – Internal Revenue Service, 2970 Market St., Philadelphia PA 19104.