State Re-Employment Tax Fraud

Currently I work in the Financial and Real Estate Industry.  Recently I met a lady who had a very interesting thing happen to her.  Which sheds light on how people are affected by ADP’s Forging of Social Security Numbers. Gabriella who is my partners client divulged a very interesting story.

She has lived in Miami her whole life. She is a single mother of three children and also is on disability. She receives child support and benefits for both her and her children. One of her children is ill so she receives extra disability assistance.

ADP violations

Who and what is ADP?ADP (company) Automatic Data Processing, Inc., commonly known as ADP, is an American provider of human resources management software and services. As of 2010, ADP was one of four American companies to have a AAA credit rating from Standard & Poor’s (S&P) and Moody’s.

How does ADP make their money?

We pay roughly 1-6 working Americans. That’s over 26,000,000.

ADP makes money by holding the employer and employee taxes.

ADP Rewrites Payroll, Everything!

The ADP whistleblower, fired for standing up to illegal business practices at the payroll giant, launched, a website documenting the federal crimes he reported to the SEC and FINRA.

Posts from the new site are being shared across social media by thousands of angry ADP customers and employees, expressing their dissatisfaction with the company, and uniting around his message.

The first memo shared by the whistleblower — former top ADP national salesman David M. Schwartz — received more than 11,000 views by going viral on LinkedIn.

The social media campaign is directing angry customers to memos at about each area where ADP has ripped off customers or wronged employees.

Visitors can also join a database to document their grievances and to classify all the claims into 10 major categories.

On Twitter, @ADPFraud is going down the timeline to capture the thousands of angry comments posted there since 2009, plus retweeting up to a dozen new complaints that ADP receives each day.

Bless the heart of the ADP employee who has to answer this barrage of angry complaints and demands for better customer service. (There are also many web designers who chime in at @ADP to squawk about how badly its websites and apps are designed, as its paystubs can only be seen by using an old version of Internet Explorer.)

At an average of three complaints per day (and some days, it’s a dozen), that’s 10,000 posts against ADP made publicly by members of the social network, and each of those members are being invited to visit the website.

The hashtags #adpsucks or #adpfail and fun search strings “ADP and ‘the worst’” make identifying the class easy.

The Twitter campaign is highlighting verified “blue check” CEOs and celebrities griping about ADP’s bad customer service and infamously long wait lines, plus sharing articles about the whistleblower’s legal case against ADP.

ADP W-2 Breach a Perfect Example of ‘FlowJacking’

HR giant ADP, which provides payroll, tax and benefits administration for more than 640,000 companies, was hit hard by identity thieves this week. The perps made off with tax and salary data, according to a report from Brian Krebs—although the actual number of people affected has yet to be revealed.

The incident is an example of an increasingly sophisticated population of identity thieves, which uses complex, multi-stage attack vectors to get what they want.

Krebs explained that to access the information, the thieves used employee names from multiple firms to register accounts on an ADP external-facing web portal that employees can use to view their payroll information, including W-2s.

ADP Chief Security Officer Roland Cloutier explained that to create an account, users need to sign up using their name, social security number and date of birth—pretty basic information that can be easily lifted by skilled hackers. But to activate the account, users need a specific link and company code. The victim companies were the ones that published their signup link and code somewhere publically accessible.

“We viewed the code as an identification code, not as an authentication code, and we posted it to a Web site for the convenience of our employees so they could access their W-2 information,” said Dana Ripley, a spokesperson for one of the unfortunate victims, U.S. Bank. “We have discontinued that practice.”

Jennie Carlson, executive vice president of human resources at U.S. Bank, penned a letter to “a small population” of affected employees explaining the situation:

“Since April 19, 2016, we have been actively investigating a security incident with our W-2 provider, ADP…The incident originated because ADP offered an external online portal that has been exploited. For individuals who had never used the external portal, a registration had never been established. Criminals were able to take advantage of that situation to use confidential personal information from other sources to establish a registration in your name at ADP. Once the fraudulent registration was established, they were able to view or download your W-2.”

The personal information needed to open the account was not stolen from ADP, Cloutier stressed. But the tactic is an increasingly prevalent one, according to Carl Wright, EVP and general manager of TrapX Security.

“The attack on ADP by cyber thieves is an example of an increasingly sophisticated hack called a FlowJack,” he said via email. “Hackers can penetrate an organization and gain an understanding of the internal workflow and the necessary credentials to hijack target assets. This interception of critical workflow, or FlowJack, enables hackers to steal important data and then intercept and divert the flow of money—in this case, citizens’ tax refunds.”

Adam Levin, chairman and founder of IDT911, told Infosecurity that while ADP isn’t saying much about who the victims are, the overall number of people affected is likely to be significant.

“As ADP works with more than 640,000 companies, this may only be the tip of the iceberg,” he said. “W-2 data is a hot commodity for identity thieves because it contains the type of sensitive personal information necessary to file fraudulent federal and state tax returns for the purpose of securing tax refunds in the names of victims. This puts a huge bullseye on payroll and human resource companies like ADP that handle such a goldmine of personally identifiable information.”

How to Communicate the Value of Security Management to the Board

Before the threat of a cyberattack became a top concern for business leaders and board members alike, finance played a limited role in security management. Today, finance leaders increasingly find themselves part of the team responsible for developing and implementing their employers cybersecurity strategy. So why the change? Why do finance leaders now play such an important role in protecting organizations from the never-ending, and increasingly damaging stream of cyberattacks?

The reason is quite simple to appreciate, especially for those who have watched the finance department evolve from its role of corporate check-signer, to a critical department with a permanent position in the C-suite. By virtue of its role as corporate accountant, the finance department is often the only area within the organization that possesses a detailed view of the firm’s entire operations, warts and all. Therefore, since cybercriminals look for security gaps across the enterprise, finance’s detailed knowledge of the organization’s inherent strengths and weaknesses can help ensure the deployment of an effective cybersecurity program.

Educating the Boardroom on Security Management

This overarching view of the organization’s operations is just one reason why finance leaders continue to play a bigger role in stopping cyberattacks. Cybersecurity is complex topic with the potential to overwhelm board members, especially those with limited technical knowledge and experience. Since finance leaders distill and present complex financial data to the board on a regular basis, they often know how to deliver information in a way that builds trust and triggers action. When discussing cybersecurity-related topics, they can leverage their existing relationships with each board member, anticipate the types of objections individual directors might raise and consequently, present an insightful, detailed and compelling case to justify the investment in cybertechnology.

Further, given that finance leaders know where a firm’s critical assets reside within the corporate network, they can provide context for requests to invest in cybersecurity technology. Using layman’s terms, they can describe what a proposed technology investment will accomplish that the existing software and hardware is unable to do. They can explain to board members in specific terms why it’s important to invest in a next-generation firewall, for example, and how that software protects the firm’s critical assets.

Providing such context can make the difference between the board accepting or rejecting a request for an investment in technology. Without context, a CIO’s request for a more advanced firewall might fall on deaf ears if the board fails to understand the “why” driving the purchase decision. Finance leaders can also function in their traditional role by explaining the impact of any cybersecurity-related purchases on the organization’s existing budget and projected financial statements.

A New Era Creates a New Role for Finance Leaders

The rush to automate business transactions means that technology will play an increasingly larger role in how businesses operate as a whole. Unfortunately, the more technology that businesses embed within their operations, the greater the threat posed by cybercriminals. Finance leaders excel at the basic elements of their role, yet today, they must also help bridge the gap between the board and the IT department. In extreme examples, the ability of an organization to withstand a cyberattack and remain in business depends on it.

W-2 Phishing Scams Increasingly Target Payroll Personnel

The W-2 phishing scam often targets payroll and HR professionals. Learn how to prevent it and what to do if your data is compromised.

Often appearing to be from a corporate executive, it begins with a friendly “Are you working today?” email. But the W-2 phishing scam quickly escalates to a request for W-2 information.

What happens when fraudsters succeed? “Cybercriminals who successfully steal W-2 forms immediately attempt to monetize their thefts,” notes the IRS. “Criminals may immediately attempt to file fraudulent tax returns claiming a refund. Or, they may sell the data on the internet’s black market sites to others who file fraudulent tax returns or use the names and SSNs to create other crimes.”

Here’s what finance leaders need to know about avoiding W-2 phishing scams and limiting the damage if one should occur.


Any employee — especially in this case HR or payroll staff — who has access to sensitive information should receive regular training and updates on phishing scams and how to avoid them. The IRS notes, for example, that it “never initiates contact with taxpayers by email, text messages or social media channels to request personal or financial information. Any contact from the IRS will be in response to a contact initiated by you. Cybercriminals, when they learn of a new IRS process, often create false IRS websites and IRS impersonation emails.”

In addition, cybersecurity experts strongly recommend auditing and potentially reducing the number of employees with access to W-2 and other sensitive information. The more people with access, the greater the risk of falling victim to a scam.

Mitigating Losses

In the unfortunate event that employee information has been compromised, speed is of the essence. As soon as you believe that you may be a victim of a W-2 phishing scam, the IRS recommends emailing to alert them of a W-2 data loss. Putting “W-2 Data Loss” in the subject line will help ensure that the email ends up in the right place. In the email, make sure to include the following information:

Business name
Business employer identification number (EIN) associated with the data loss
Contact name
Contact phone number
Summary of how the data loss occurred
Volume of employees impacted
In the email, do not include any employee personally identifiable information.