Each year, the IRS releases its Dirty Dozen list — a collection of the most prevalent scams designed to trick individuals and businesses out of money, sensitive data and more. While the Dirty Dozen is a valuable warning, it's far from an exhaustive list. Fraudsters are constantly evolving their tactics, which means employers and employees alike must stay vigilant year-round.
In this post, we’re sharing 14 practical tips to help safeguard against a broad range of scams, not just the ones highlighted by the IRS. From phishing emails and fake URLs to risky social media tax advice and unsecure payroll platforms, these precautions can help protect your people, your organization and your data from falling into the wrong hands.
1. Scrutinize emails
Stay vigilant when it comes to your inbox. Look at actual email addresses, not just display names. If it’s an email address you don’t recognize, this should raise a red flag. Report any suspicious activity directly to your IT department. They should investigate the potential scam and report any suspicious communications to the IRS.
2. Hover over hyperlinks
Whenever you receive an email with a hyperlink, always hover your cursor over it to view the actual URL. By doing this, you can confirm the URL is actually related to the company it purports to be from and that it’s secure. To ensure the url is secure, look for the "s" in the https portion of the URL (versus an http url without the "s").
3. Think before you click
If you overlook the actual email address (which is easy enough to do), the content of the email can be the next best indicator that something’s amiss. Never click on a link or attachment included in an email, especially if it’s requesting login information. Sensitive personal information should never be sent over email. Instead, go directly to the source. Directly contact the sender or a trusted source like your HR team to confirm it’s a legitimate request.
4. Stay informed
Make sure you are in the know about active and emerging cyber scams by following news updates from the IRS and FBI. Also, make sure security is paramount throughout your organization, and everyone is informed of scams that could impact them. If the right precautions are put in place and you’re able to establish a security-first culture, you’ll be in a much better, more informed position.
5. Be on high-alert during vulnerable periods
Whether it’s year-end, holiday shopping season or any other busy or vulnerable time, scammers are ready and eager to strike. Knowing which scams are popular during certain times of the year can help. But take this one step further and make vigilance a group endeavor by holding “cyber security huddles” and appointing “security captains” to head up communications during scammer-prone times.
6. Leverage security awareness training and tools
Employers play a key role in helping employees recognize and respond to potential threats. Offering security awareness training — either by developing it internally or partnering with a trusted third-party vendor — is an important step in creating a more vigilant workforce. Some vendors (such as KnowBe4) even provide customizable tools that make it easy to tailor training to an organization’s specific needs. HR, payroll and other business leaders should work closely with their IT department or provider to implement a program that educates employees on identifying scams, practicing safe online behavior and protecting sensitive data throughout the entire year.
7. Use multifactor authentication
Multifactor authentication adds an extra layer of security by requiring users to provide two or more forms of identity verification before they’re able to log in to a system. With multifactor in place, scammers that have obtained a password will need another unique identifier or identifiers to access the account.
8. Use strong passwords
While multifactor authentication is helpful in reducing security threats, it is also important to have strong passwords to begin with. As discussed in another B2E blog, passwords should ideally have at least 15 characters and contain a combination of letters (uppercase and lowercase), phrases, numbers and symbols. Do not use the same passwords for every account. Also, instead of using default or temporary passwords that come with accounts or devices (including printers), create your own. To make managing and remembering a high volume of unique passwords easier, consider using a password manager.
9. Keep current on security updates
Security patches are regularly released for all devices and popular web browsers. We can’t stress enough how critical these are. It’s easy to ignore the frequent messages about security updates, but they’re very important. They’re released to fix inevitable security loopholes that scammers can exploit, and should be downloaded and installed as soon as they are available.
10. Leverage anti-phishing software
Anti-phishing software can help detect and block malicious content contained in emails and websites by alerting the user of suspicious activity. Many web browsers integrate this software with a toolbar that displays actual domain names, which helps users identify fraudulent websites that are mimicking legitimate ones. Because this software is often integrated with web browsers, it’s especially important that you also keep browsers up-to-date.
11. Monitor changes to bank information
From time to time, employees will need to change their direct deposit information. To ensure this is done safely and securely, it’s always a good idea to verify directly with an employee if they are changing their bank information. If you receive a direct deposit change request via email, give the employee a call to confirm the request came from them.
12. Avoid tax advice on social media
The best place for taxpayers to learn how to properly use tax forms, and to accurately follow social media channels related to taxes, is to go to IRS.gov. IRS.gov has a forms repository with legitimate and detailed instructions for taxpayers on how to fill out the forms properly. Also use IRS.gov to find the official IRS social media accounts, or other government sites, to fact check information.
13. Secure wireless networks
If your wireless network isn't secure, cybercriminals could be stealing your data without you even knowing it. Follow these steps to protect your wireless network:
- Change the default password of your wireless router and follow the strong password guidelines in number seven above.
- Reduce the wireless range (or power), so you're only broadcasting as far as needed. To do this, log in to your router's WLAN settings and lower the Transmit (TX) power, which is likely under an "advanced settings" option.
- Do not name your router something that's personally identifying, such as the name of your company. Also, disable the service set identifier (SSID) broadcast so it can't be seen by anyone who doesn't need to use your network.
- Do not use wired-equivalent privacy (WEP) to connect your computers to the router, as this is not secure.
- Do not use public Wi-Fi at coffee shops and airports when accessing business email or sensitive documents.
14. Ensure your HR and payroll technologies are secure
It goes without saying that the human capital management (HCM) technology you use to manage your HR and payroll needs to be secure. After all, this is a technology that houses a lot of sensitive business and employee data, including Social Security numbers, birth dates, addresses, tax information, benefit details, healthcare documentation, financial information and more.
Whether you’re evaluating a new HCM technology or you’re making sure your existing solution is secure, you need to know what to look for. Here are a few important security-related checkpoints that every HCM system should have in place:
- Meets the American Institute of Certified Public Accountants SOC1 Type II and AT101 SOC 2 Type II criteria for security, availability and confidentiality
- Undergoes regular audits by a reputable, third-party firm
- Meets EU/US Privacy Shield Framework criteria
- Utilizes redundancy and regular backups, so data is never lost in the case of a server or system failure
- Uses data encryption and secure transmission
- Has secure login requirements
- Password storage utilizes modern hashing algorithms
- Has firewalls, antivirus software, routine security maintenance with regular patching, security protocols and escalation processes
Safe and Secure HCM
Protecting sensitive data starts with the right foundation — and that includes the technology you trust to manage it. By ensuring your HR and payroll systems meet the highest standards for security, you can greatly reduce your risk of falling victim to scams and data breaches.
To learn about the world-class infrastructure, security and support that comes with our HCM solution, UKG Ready, download our handy resource today.
