As an employee, when the CEO or other executive asks you to jump, the typical response is “how high?” So if you were to get an email from the CEO asking for a list of employee data, you probably wouldn’t question it. You’d probably send the info as soon as possible and without too much thought.
Cybercriminals who understand the position of power that company executives possess are using these relationships to obtain sensitive employee data. The practice is called “spoofing” because the thieves pose as the CEO or other high level executive, using the real executive’s name in an email to those within the company who have access to W-2s and social security numbers (typically those within payroll or human resource departments). Then these criminals obviously use the data to file false refund returns or sell the data to 3rd parties.
The IRS made a statement yesterday alerting the public of this new kind of phishing scheme:
If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.
~ IRS Commissioner, John Koskinen
I guess the question some payroll people will have is “what should I do to check it out“? Every company and every office is different. Your response may depend on the formality of your office and the relationship you have with the executive who requested the info. In some circumstances it may not be appropriate to knock on the CEO’s door asking if he/she emailed you. It might be a little awkward emailing back asking the CEO what he plans on doing with the info, or asking if he can authenticate by giving you the name of his favorite childhood pet or his mother’s maiden name.
I suspect that in most cases the email address of the sender will be a dead giveaway. If you don’t recognize the email address, then you can ask the follow up questions or pay the CEO a visit. Having said that, I don’t know for sure that these cybercriminals cannot send emails that appear to be sent from a company email system, in which case it might be wise to ask about the childhood pet anyways. Better safe than sorry, even if the price is a little embarrassment.