As an employer, you’re already familiar with Form I-9, which is used by the United StatesCitizenship and Immigration Services (USCIS) for Employment EligibilityVerification. Employers must maintain a properlycompleted Form I-9 for every employee whom they hire to work in the U.S. –whether citizen or noncitizen. This process demands that both you as theemployer and each of your employees complete the form in tandem and that eachof your employees present you with USCIS-accepted documentation that bothverifies the employee’s identity and authorization to work in the country.
That’s the easy part. The hitch is that thereis a Form I-9 email scam circulating that is purportedly from the USCIS butthat is decidedly not. While the USCIS did ever-so-quietly post a Scam Alert onits What’s New page onOctober 25, 2017, this fraudulent email scheme otherwise garnered very littleattention.
The emails in question are in request of FormI-9 information, which is naturally highly personal and sensitive employeeinformation. In its What’s New post,the USCIS guarantees employers that it does not request Forms I-9 or Forms I-9information via email correspondence. Instead, employers must retain the formsthemselves and must make them available for inspection if requested to do so by the DHS, IER, or DOL.
This phishing scam reportedly originates froma fraudulent email address, email@example.com, and that the emails often includethe official labels of the USCIS and the Office of the Inspector General –along with a download button that links to a web address that is not associatedwith the U.S. government, uscis-online.org.
The current climate of uncertainty related toimmigration lends this Form I-9 scam a dash of perceived validity. Immigrationpolicy under the new administration – including but not limited to policyrelated to Dreamers, sanctuarycities, the asylum system, the travelban, the proposed border wall, and heightened scrutiny for H-1B visarenewals – has entered some murkyterritory of late, and it’s not a huge leap to imagine that the USCIS mighthave shifted some of its information-gathering policies.
They have not.
What toDo if You’ve Been Scammed
Per the USCIS, if you have been targeted bythis scam, you should notify the FederalTrade Commission. In situations where you’re unsure whether or not theemail you received is a scam, you’re encouraged to forward the email to the USCIS webmaster. The USCIS willreview the email and notify law enforcement when needed.
The USCIS encourages employers to visit its Avoid Scams Initiative for moreinformation.
How to ProtectYour Data
Recently, massive data breaches in goliathcompanies have been getting plenty of press. It’s important to remember,however, that small to medium-sized companies are also frequent targets of such breaches.
A 2015 study by the Wall Street Journal found thatthe most common cause associated with data breaches is employee error. Further,findings suggest that your cyber security is only as robust as the weakest linkwith access to your closely held information. Ultimately, the employeeinformation sought by this Form I-9 scam is among your most-sensitive data,and as an employer, it’s important to stay vigilant and aware of where yourcompany is vulnerable.
Although this email scam hasn’t received anoutpouring of attention, it highlights the fundamental importance of tighteningsecurity as it relates to critical records. You can better protect yourselffrom data breaches by ensuring that employees with access to sensitiveinformation are trained to recognize and report suspicious correspondence.
Should you have any questions about how this impacts your business or employees, please do not hesitate to reach out to us at firstname.lastname@example.org.