taxnews.ey.comPrint

07 February 2017

Exempt organizations are being targeted in Form W-2 phishing scam, IRS warns

The IRS has issued a news release (IR-2017-20) warning tax-exempt organizations that a Form W-2 email phishing scam that originally targeted for-profit corporations has begun to attack school districts, hospitals, tribal organizations and other non-profit entities.

This latest warning from the IRS follows an announcement issued a week earlier that the Form W-2 phishing scam, which began last year, has returned in 2017. Under the scam, cybercriminals send phishing emails to payroll and human resources employees, with the emails appearing to be from an executive within the organization. These emails request lists of employees with Form W-2 information, which the perpetrators then use to file fraudulent tax returns and commit other identity-theft crimes.

The IRS notes that the scam has returned this year with a broader range of targets, including those in the tax-exempt sector. The IRS also reports that the perpetrators are coupling the Form W-2 phishing scheme with an older scheme based on wire transfers. Under the wire transfer scheme, an email purporting to be from an executive asks the payroll or comptroller to wire funds to a certain account. Although not directly tax-related, the wire transfer scam often targets the same organizations victimized by the Form W-2 phishing scam.

The IRS has created a "Security Summit" in combination with state tax authorities and the tax industry to combat the threat from these phishing scams. It urges employers to share information on the threat with their payroll, finance and human resource departments, and to create internal policies (if not already in place) on distributing employee Form W-2 information and conducting wire transfers.

Implications

Vulnerability of tax-exempt organizations

An employer must file a Form 941 on a quarterly basis (or a Form 944 on an annual basis for smaller employers). An employer must also furnish a copy of Form W-2 to each employee who received wages during the year and file Copy A with the Social Security Administration.

A Form W-2 must show: total wages and other compensation paid (even if not subject to withholding); total wages subject to Social Security and Medicare taxes; allocated tips (if any), and amounts deducted from income. In all cases, like for-profit employers, a tax-exempt organization must give each of its employees Form W-2 by January 31 following the end of the calendar year covered.

Unlike a for-profit entity, the annual Form 990 series information return of a tax-exempt organization is publicly disclosed and can be viewed by anyone (although note, a tax-exempt organization is generally not required to disclose publicly the contents of Schedule B, which contains the names and addresses of its contributors, see Treas. Reg. Section 301.6104(d)-1(b)(4)(ii)). This makes a tax-exempt organization particularly vulnerable as scammers can easily learn the names of its leaders and top financial personnel. In addition, a Form 990 may reveal certain activities, projects, background information and future objectives of a tax-exempt organization.

IRS efforts in addressing fraud

The warning contained in IR-2017-20 coincides with recent regulatory measures that the IRS has implemented to combat employment-related tax fraud.

Treas. Reg. Section 1.6081-8T, which became effective for the 2017 filing season, provides for a single 30-day non-automatic extension of time to file certain information returns. These changes are being implemented to accelerate the filing of forms in the Form W-2 series (except Form W-2G) so they are available earlier in the filing season for use in the IRS's identity theft and refund fraud detection processes.

The forms in the Form W-2 series (except Form W-2G) are the first information returns subject to these new rules. These forms are especially helpful to the IRS in identifying falsified refund claims and avoiding their disbursement. A significant portion of most taxpayers' income and withholding is reported on Forms W-2. Phony Forms W-2 are also a primary tool used by identity thieves and unscrupulous tax preparers to report bogus financial information. Having access to Forms W-2 earlier in the filing season will improve the IRS's ability to conduct pre-refund matching and identify incidences of identity theft and tax refund fraud.

The IRS has also launched a "verification code" pilot on some Forms W-2 that provides a 16-character combination of capital letters and/or numbers to be used primarily in tax preparation software. When the verification code appears on the Form W-2, the employee must use it when filing the Form 1040 electronically. The pilot applies to approximately 50 million Forms W-2. Failure to enter the verification code will not result in the rejection of a taxpayer's return. The IRS will, however, use the verification code to help verify the information contained on Forms W-2.

How a tax-exempt organization can protect itself from fraud

The Form W-2 scam is just one of several new variations that have appeared in the past year that focus on the large-scale thefts of sensitive tax information from tax preparers, businesses and payroll companies. Individual taxpayers also can be targets of phishing scams, but cybercriminals seem to have evolved their tactics to focus on mass data thefts.

A tax-exempt organization should alert its entire management and leadership team to phishing scams. The organization should also alert its IT team and request that it screen for spoofed email addresses. It is recommended that an entity maintain a policy that forbids personnel from authorizing distributions of funds or releasing sensitive information based on email or similar instructions alone. Personnel should also be prohibited from making disbursements or releasing sensitive information without proper supporting documentation. The organization should also implement other proper approval control procedures.

Organizations receiving a Form W-2 scam email should: (i) not reply to the message; (ii) not provide any personal or financial information; (iii) forward it to phishing@irs.gov and place "W2 Scam" in the subject line and then delete the message; and (iv) not open any attachments or click on any links as they may have a malicious code that can infect an organization's computer. Also, organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center (IC3) operated by the Federal Bureau of Investigation.

Please contact your Ernst & Young LLP tax professional with any questions.

———————————————
RELATED RESOURCES

— For more information about EY's Exempt Organization Tax Services group, visit us at www.ey.com/ExemptOrg.

———————————————

Contact Information
For additional information concerning this Alert, please contact:
 
Tax-Exempt Organizations Group
Mike Vecchioni(313) 628-7455
Agnes Gesiko(858) 535-4436
John Rigney(314) 290-1106
Employment Tax Services Group
Debera Salam(713) 750-1591

———————————————

Other Contacts
Exempt Organizations Tax Services Markets and Region Leadership
   • Scott Donaldson, Americas Director – Phoenix(602) 322-3062
Mark Rountree, Americas Markets Leader – Dallas(214) 969-8607
Bob Lammey, Americas Higher Education Markets Leader – Boston (617) 375-1433
Lucille White, Central Region – Chicago(312) 879-2670
Bob Vuillemot, Northeast Region – Pittsburgh(412) 644-5313
Debra Heiskala, West Region – San Diego(858) 535-7355
Joyce Hellums, Southwest Region – Austin(512) 473-3413
Kathy Pitts, Southeast Region – Birmingham(205) 254-1608

Document ID: 2017-0272

 

The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting or tax advice or opinion provided by Ernst & Young LLP to the reader. The reader also is cautioned that this material may not be applicable to, or suitable for, the reader's specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The reader should contact his or her Ernst & Young LLP or other tax professional prior to taking any action based upon this information. Ernst & Young LLP assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

 

Copyright © 1996 – 2025, Ernst & Young LLP

 

All rights reserved. No part of this document may be reproduced, retransmitted or otherwise redistributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP.

 

EY US Tax News Update Master Agreement | EY Privacy Statement