Scam Alert: When Emails from the CEO Are Not from the CEO

Scam Alert: When Emails from the CEO Are Not from the CEO

Someone is tricking accounting and payroll departments nationwide into providing employee W-2 information (including names, birth dates and Social Security numbers) via email. Typically, a person in the accounting or payroll department gets what appears to be a legitimate email (say from the CEO or the CFO) asking the person to forward W-2s for all employees. The email is actually a “spoof;” those who respond to the email are unfortunately tricked into disclosing confidential employee information. 

If you get this type of request from anyone, think twice about responding to it. If there is any doubt, simply pick up the phone and talk to the person making the request to verify its validity.

Likewise, such scams serve as a prudent reminder to ensure that company and employee passwords are changed regularly and chosen wisely. Many system viruses and scams breach a company via weak passwords on an individual’s email account, user-level log-on or even voicemail access. Here are some generally accepted guidelines to keep in mind when directing employees in the maintenance of email and other system passwords: 

  • Passwords should be changed on at least a quarterly basis. 
  • Passwords should be a minimum of 8 characters, although 10-15 characters in length is preferred. 
  • Encourage the use of a combination of upper and lower case letters, numbers and special characters (such as exclamation points and question marks).
  • Employees should not use their name, company name, position title or names of family members as part of their password. 
  • Employees should not use the same password for company accounts as for other personal accounts, and should not use the same password for various access points.
  • Employees should not write passwords down or store them anywhere in the office. Do not store passwords in a file on any computer system (including personal digital assistants, smartphones or similar devices) without encryption.