Issue

More and more, cybercriminals are attempting to “scam” employers – including private colleges and universities – in an attempt to facilitate various “flavors” of on-line crime. The IRS has issued information to help you to not stumble into these scams.

Situation

Marathon Bible College (MBC) is a public charity and a school under I.R.C. sections 501(c)(3) and 170(b)(1)(A)(ii). Their Controller calls us to ask about an email that their Human Resources Director received – apparently from MBC’s president, who was traveling abroad. The HR Director received an “official looking” email – purporting to be from the President – stating that to answer an important inquiry, he was asking her to send him a listing of all employees with copies of their 2016 W-2 forms.

We told them that is was wise of them to call us and that this was a current oft-occurring scam that can be financially devastating to the institution and its employees. We inform them of the IRS’ recent information on how to handle these “cyber crime requests”.

Rules

From IRS Exempt Organization Update (2/3/17):

WASHINGTON – The Internal Revenue Service, state tax agencies, and the tax industry issued an urgent alert today to all employers that the Form W-2 email phishing scam has evolved beyond the corporate world and is spreading to other sectors, including school districts, tribal organizations and nonprofits.

In a related development, the W-2 scammers are coupling their efforts to steal employee W-2 information with an older scheme on wire transfers that is victimizing some organizations twice. “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.

When employers report W-2 thefts immediately to the IRS, the agency can take steps to help protect employees from tax-related identity theft. The IRS, state tax agencies, and the tax industry working together as the Security Summit have enacted numerous safeguards in 2016 and 2017 to identify fraudulent returns filed through scams like this. As the Summit partners make progress, cybercriminals need more data to mimic real tax returns.

Here’s how the scam works: Cybercriminals use various spoofing techniques to disguise an email to make it appear as if it is an organization executive. The email is sent to an employee in the payroll or human resources departments, requesting a list of all employees and their Forms W-2. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES).

The Security Summit partners urge all employers to be vigilant. The W-2 scam, which first appeared last year, is circulating earlier in the tax season and to a broader cross-section of organizations, including school districts, tribal casinos, chain restaurants, temporary staffing agencies, healthcare and shipping and freight. Those businesses that received the scam email last year also are reportedly receiving it again this year.

Steps Employers Can Take If They See the W-2 Scam
Organizations receiving a W-2 scam email should forward it to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.

Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft. Employees should file a Form 14039, Identity Theft Affidavit, if the employee’s own tax return gets rejected because of a duplicate Social Security number or if instructed to do so by the IRS.

The W-2 scam is just one of several new variations that have appeared in the past year that focus on the large-scale thefts of sensitive tax information from tax preparers, businesses, and payroll companies. Individual taxpayers also can be targets of phishing scams, but cybercriminals seem to have evolved their tactics to focus on mass data thefts.

Bottom Line

Higher education institutions should exercise extreme care with regard to procedures, training, and a daily commitment to being watchful in the arena of email requests for information. You should touch base with your skilled, knowledgeable, and experienced not-for-profit tax professional. They will be able to help you navigate these potentially treacherous waters.

Specific questions? Email Dave Moja.

The information provided herein presents general information and should not be relied on as accounting, tax, or legal advice when analyzing and resolving a specific tax issue. If you have specific questions regarding a particular fact situation, please consult with competent accounting, tax, and/or legal counsel about the facts and laws that apply.