Several have already fallen victim to e-mails that get payroll and human resources offices to mistakenly e-mail payroll data, including Forms W-2 that contain Social Security numbers and other personally identifiable information, to cybercriminals posing as company executives.

This particular phishing scheme is characterized as “spoofing.”

The e-mail will typically contain the actual name of the company's chief executive officer, and will on the surface come from the “CEO” to a company payroll office employee requesting a list of employees and information including SSNs.

According to the IRS, these e-mails will also contain some of the following statements, or variations on them:

• “Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”

• “Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).”

• “I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data,” John Koskinen, IRS commissioner, said in a statement.

Koskinen added, “Now the criminals are focusing their schemes on company payroll departments. If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

That goes for retirement plans, too.