Phishing emails often ask targets to logon to view a private email from their HR department.

Share story

The FBI is warning office workers and personnel managers to watch out for a workplace phishing scheme targeting employees who can look at their pay and tax information through online self-service systems.

In these cases, the con sends an email to employees while posing as a business’s human resources department. The message contains a link to go to the self-service account.

These links are bogus, and by clicking through and entering login information, victims unwittingly hand over their login information, which allow the fraudsters to access sensitive personal data.

These phishing emails will often ask targets to logon to view a private email from HR, to view changes made to their accounts or to confirm that the account should not be deleted, the FBI said.

With that login information, crooks can get at W-2 and pay stub information or change direct deposit arrangements.

The FBI recommended employers train workers to watch for phishing attacks and suspicious links. Checking actual email addresses, rather than just looking at display names, can be crucial to spotting attacks early.

Another good practice is for human resources departments to make sure self-service applications have two-factor authentication.

The FBI said those platforms should have alerts set up so administrators can spot unusual activity such as transfers of banking information to online banks used by fraudsters, or system access through anonymous internet browsing tools.

Having a time delay between when direct deposit information is altered and the actual deposit of new funds can reduce the odds of a theft, the agency said.

The FBI has more information on email security and other cybercrimes online at and its Internet Crime Complaint Center. For tax fraud reporting and information, check