In early February, the Internal Revenue Service and various tax agencies issued an alert warning employers of a Form W-2 email phishing scam. The scam was well known among private-sector businesses—the Democratic National Committee famously fell for a similar version—but the IRS updated the alert to include school districts, health-care providers and, yes, nonprofits.
According to the IRS, the scheme is painfully simple. Scammers target an organization’s accounting or human resources department using spoofing techniques that make an email appear to come from an executive in the organization. The scammers request a list of all employees and their W-2s, then use any personal information they obtain to file fake tax returns or otherwise commit identity theft.
KMSP-TV, a Fox affiliate based in Minneapolis, reported that fake emails in some instances asked for employee names, social security numbers, dates of birth, home addresses and salaries, while others requested 2016 W-2s (in PDF form) and W-2 earnings summaries for company staff.
“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.” — IRS Commissioner John Koskinen
Nonprofits are no stranger to donation scams, like the ever-popular fake check scam that pops up every few years. But this one is new to the sector and may be more difficult to catch. A big donation from a stranger is an automatic red flag for development professionals; a well-disguised request for tax forms is considerably more mundane, posing significant risk for rookie HR employees or understaffed accounting departments.
If you’re on the receiving end of a W-2 scam email, the IRS advised forwarding it to firstname.lastname@example.org with “W-2 Scam” as the subject line. The IRS also provided other reporting options and general online scam-prevention tips in its release. View those here.