The IRS recently announced that a Form W-2 phishing scheme is now targeting many not-for-profit organizations. Human resources departments in school districts, tribal governments and other not-for-profit organizations have reported receiving bogus emails asking for their employees’ W-2 tax information. For-profit companies have also reported suspicious W-2 related emails, which are similar to scams reported in 2016.
Email phishing is a form of social engineering that cybercriminals use to access your organization’s secure network or personally identifiable information. Cybercriminals use various spoofing techniques to create emails that look legitimate and manipulate users into responding or providing key pieces of information to unauthorized users.
Not-for-profit organizations may be particularly vulnerable to W-2 phishing schemes because of the information publically available through their previous Form 990 filings. Many Form 990s list or disclose members of the organization’s executive team along with their titles and salary information. Signatures and logos may be available through publically available annual reports. These pieces of information could be used by cybercriminals to make more authentic-looking emails. The amount of information that could be used by cybercriminals makes it essential that not-for-profit organizations be vigilant in managing their phishing risks.
How to Determine if You Have Received a W-2 Phishing Email
For the W-2 scam, cybercriminals are creating emails that appear to be coming from an organization’s executive team. The emails are being sent to human resources and payroll departments and ask for information including employee lists, Social Security numbers or copies of employees’ W-2 tax forms.
During the 2016 W-2 scam, the IRS noted that many of the emails contained common phrases, including:
- Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
- Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
- I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.
Any information gathered through these phishing emails could potentially be used by the unauthorized user to file fraudulent tax returns. Over the past several years, phishing scams such as these have become increasingly common. The IRS prevented 1.4 million suspicious tax returns in 2015, which would have amounted to about $8 billion in tax refunds. During the early part of the 2016 tax season, the IRS noted a 400 percent surge in phishing and other malware related to individual tax return filing information, including filing status, personal information, transcripts and PIN information.
Not-for-profit organizations should stress to their employees that they should report any email that contains suspicious language or requests.
What to Do if a Phishing Email is Received
First and foremost, employees should not reply to an email that seems suspicious. Several consumer agencies track phishing activity. Not-for-profit organizations that encounter suspicious W-2 emails should forward the email to firstname.lastname@example.org with the “W-2 Scam” in the subject line. Other suspicious emails can be forwarded to the Federal Trade Commission (FTC), email@example.com.
To assist with the reporting process, affected organizations may also want to file a report with the FTC. The FTC has many resources that outline procedures to take if you are a victim of identity theft.
The biggest prevention for phishing lies in education. All employees should be aware of their role in protecting their organization from a social-engineering style attack. Cybercriminals do not discriminate among for-profit and not-for-profit organizations, and employees of not-for-profits should take note.
A social engineering exercise may be able to identify how vulnerable your organization is to a cyberattack and pinpoint weaknesses that may exist in your information security functions. Information security teams that monitor for broad scale social engineering threats, such as the W-2 scam, can also help their organization stay educated and protected from potential risks.
For More Information
To learn more about how your organization can protect itself from the W-2 scam and other social engineering incidents, please contact us.
Kyle Konopasek is a Manager in our Kansas City office who works closely with the Business and Technology Risk Services group at CBIZ MHM, LLC, He can be reached at firstname.lastname@example.org or 816.945.5512.
Copyright © 2017 CBIZ Tofias & MHM (Mayer Hoffman McCann P.C.). All rights reserved. CBIZ Tofias and MHM are separate and independent legal entities that work together to serve clients. CBIZ Tofias is a leading provider of tax and consulting services. MHM is an independent CPA firm providing audit and other attest services. This article is protected by U.S. and international copyright laws and treaties. Use of the material contained herein without the express written consent of the firms is prohibited by law. Material contained in this alert is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their business.