HR Alerts For March 2017
Would you like to receive HR Alerts like these via email every month? Sign up for our newsletter here!
IRS Warns OF W-2 Email Scam
Last spring, the IRS issued a warning about an emerging phishing email scheme that targets HR and payroll departments. The scammer purports to be a company executive and requests personal information about employees – often in the form of W-2s or payroll records. The IRS gave examples of what the emails might say:
- Kindly send me the individual W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (name, SSN, date of birth, home address, salary)?
- I want you to send me copies of employees’ W-2 wage and tax statements for 2016. I need them in PDF file type; you can send it as an attachment. Kindly prepare the lists and email them to me asap.
The scammers then attempt to use the information to file fraudulent tax returns and engage in other criminal activity. For employers, a successful scam can be a costly data breach with legal consequences. For example, if an email account is hacked or accessed by an outside party, everything in the email account might be accessible to ne’er-do-wells. One of the best ways to protect your company from these sorts of scams is to have a policy and practice of never emailing sensitive employee information.
The language below may be an effective reminder:
“Employees should not under any circumstance email sensitive employee information such as W-2s, benefit enrollment forms, completed census forms, or anything with social security or credit card numbers. Email is inherently insecure, and scammers may pose as company executives or employees to steal information. If you receive a request to email any such sensitive information, do not respond to it. Instead, inform your manager immediately.”
Businesses are generally required to take reasonable precautions to protect personal information in their possession. In the event of a breach, many states require that notice be given to those whose information was compromised. This notice might need to include the cause and nature of the data breach as well as what protections are afforded to those affected.
OSHA 300A Summary Reminders
Beginning February 1, applicable employers must post their 300A Summary of Work-Related Injuries and Illnesses Form.
The Occupational Safety and Health Administration (OSHA) mandates that all employers who are required to maintain the OSHA 300 Log of Work-Related Injuries and Illnesses post a summary of the previous year’s log between February 1st and April 30th each year, even if no incidents occurred in the preceding calendar year.
The summary (OSHA Form 300A) must be certified by a company executive and posted in a conspicuous location where notices to employees are customarily posted.
All employers who had more than ten employees at any point during the last calendar year are covered by this requirement unless they qualify as part of an exempt low-risk industry. New this year: electronic reporting begins.
The OSHA 300A form will need to be submitted online to OSHA by July 1. We will send out an alert closer to this deadline with instructions for submitting the form online as OSHA has not yet released full details of this procedure.
