New Tax Scam Targets Nonprofits

In February, the IRS began alerting nonprofits that they could also be potential targets in a bold new tax scam. Nonprofits, including schools and hospitals, have fallen victim to this newest email scam, according to the IRS.

What emails should nonprofits watch out for?

The “Executive Director” sends an email to an employee in the finance, human resources, or payroll department and requests that the employee send W-2s or personal information, including SSNs, for all of the nonprofit’s employees. Except the email is not really from the Executive Director. It is from a criminal with a “spoofed” email account made to mimic the Executive Director’s. The email address will be very similar, but it may be off by a letter or it may add a number, or transpose letters, for example. Most people might miss it and may easily believe the email is from a trusted source. In the most egregious cases, the “Executive Director” sends a second email requesting that a wire transfer be made to a specified account.

The IRS reports that the spoofed email may contain these or similar messages:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

What can nonprofits do to protect themselves?

The IRS urges all employers to alert their payroll, finance, and human resources staff and outside vendors to this new scam and suggests sending W-2 scam emails to phishing@irs.gov, with “W2 Scam” in the subject line. Do not open any links contained in these emails as the links lead to imitation (spoofed) sites, which may carry malware that can infect computers in order to gain additional information.

Proactive steps for nonprofits include:

  1. Reviewing existing policies and procedures, as well as staff and vendor training, to ensure neither staff nor vendors send sensitive tax or personal information in response to unsolicited emails. Such a review and periodic training is within reach even for nonprofits with limited budgets.
  2. Having policies in place requiring that employees and vendors limit the secured email transmission of sensitive tax or personal information only to known recipients.
  3. Discussing with the IT department or IT vendor what steps can be taken to ensure that spoofed emails, especially those from publicly-identified threats, are caught by the nonprofit’s spam filter.
  4. Discussing with your insurance broker the availability of insurance to cover the costs associated with an employee inadvertently responding to a spoofed email.

When was the last time your nonprofit reviewed its policies and procedures and insurance coverage? Does your nonprofit have policies and procedures relating to spoofed emails and other cyber threats?

We are here to help. Please call Cheshire Law Group at (267) 331-4157 to discuss a cost-effective review of your nonprofit’s policies and procedures.

Share this:

Return to Noteworthy