Talk to an Expert
MinistryWorks

IRS Warns of Dangerous W-2 Email Scam

Email Scam Targets W-2 Info

Ministries beware: An email scheme, designed to coincide with tax season, asks payroll and human resource professionals to disclose employees’ personal information. Think you wouldn’t fall for such a scam? You might, if the email looks as if it came from someone in your ministry.

Why You’re Likely To Fall Victim

According to an Internal Revenue Service alert, the phishing emails often contain the actual name of someone in your organization, such as a board member or pastor. This “spoofing” technique makes the request appear legitimate. Scam emails may look like these examples:

  • Kindly send me the 2022 W-2s and earning summaries for all of our staff for a quick review.
  • Can you send me the updated employee list with full details—name, Social Security Number (SSN), date of birth, home address, and salary?
  • I need a list of employees’ wage and tax statements for 2021. Email it to me ASAP. Similar scams involve a request to wire money. The methodology is the same: an email that appears to come from a board member or pastor requests that a wire transfer be made to an unfamiliar account. The email could say that it’s for an overseas charity that the pastor feels needs assistance.
Other Scams Mimic IRS Emails

IRS Criminal Investigation already is reviewing several cases in which organizations unwittingly shared SSNs with cybercriminals. These email schemes are designed to look like official IRS communications, and ask organizations to give out information about refunds, filing status, personal information, or to verify PIN information. Be aware that the IRS generally does not initiate contact with taxpayers by email, text message, or social media channels to request personal or financial information. You can read more about the new consumer alerts issued by the IRS here.

Stay Vigilant

If something looks suspicious, look carefully at the sender’s email address. At first glance, it may appear authentic. You may see jdoe@sender.com, when you should see jdoe@‹yourministrydomain›.org. When in doubt, don’t click anything—verify that the person claiming to send the email actually sent it by checking in person or with a phone call. You can also set a policy for financial data requests to be made only in person. To protect sensitive data, avoid emailing employee information unless using a secure transfer method.

If you receive a W-2 phishing scam email, forward it to phishing@irs.gov with “W2 Scam” in the subject line.

If your ministry did fall victim to a phishing scam, time is critical. The IRS has created avenues for businesses and payroll service professionals to report if they lost data to this scam or if they only received the email without falling victim. Read Form W-2 / SSN Data Theft: Information for Businesses and Payroll Service Providers from the IRS.

 

Updated: October 2022

The information in this article is intended to be helpful, but it does not constitute legal advice and is not a substitute for the advice from a licensed attorney in your area. We strongly encourage you to regularly consult with a local attorney as part of your risk management program.