“The Most Dangerous Phishing Scam” Is Causing Organizations to Lose Billions
By Kyle Winey, Esq. and Robert Showers, Esq.
“This is one of the most dangerous email phishing scams we’ve seen in a long time,” says IRS Commissioner John Koskinen, referring to the latest surge of W-2 phishing attacks. Unfortunately, according to the IRS, it is impacting churches, nonprofits and for-profits alike as well as individuals and costing the organizations and individuals great losses with little chance of recovery.
Traditional email attacks centered on spoof. The attacker convinced an unsuspecting victim to wire funds to a fraudulent account. Think of the “Nigerian Prince” scam: the sender, who claims to be a government official or member of a royal family, requests assistance in transferring millions of dollars of excess money out of Nigeria and promises to pay the person for his or her help. The message is always of an “urgent, private” nature.
The latest W-2 phishing scam, however, is sneakier—and thus more dangerous—than the conventional attacks of the Nigerian Prince scam. In these cases, the fraudster impersonates the victim’s boss and asks for a copy of the victim’s tax forms. The fraudster may even send an initial “Hi, are you in today?” message before making the request, cloaking his or her true intentions. Upon receiving the victim’s W-2 information, the fraudster loots the victim’s bank accounts or sells the victim’s full W-2 on the open market for an amount between $4 and $20.
But it doesn’t stop there. Fraudsters, in a quest to score even more bounty, are now attempting to loot entire organizations using the same technique. Often, the fraudster will impersonate an executive and email the company’s payroll or comptroller requesting a wire transfer into a particular account.
It seems that no organization—regardless of industry, size, or location—is off limits. Victims range from schools to hospitals to chain restaurants to nonprofits. The Federal Bureau of Investigation (FBI) estimates that nearly $3.1 billion from 22,000 victims has been lost from these schemes.
If you or your organization believes it is the victim of a W-2 scam, forward the malicious email to phishing@irs.gov and place “W2 Scam” in the subject line. Afterwards, complete and file a complaint with the Internet Crime Complaint Center (IC3), which is operated by the FBI.
If you are an employee whose W-2 forms have been stolen, review the actions recommended by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft. If you are an employee whose tax returns have been rejected due to a duplicate Social Security number, file a Form 14039 Identify Theft Affidavit.
If you seek guidance in completing these forms, or if you desire to speak personally with an attorney about your options, please contact Simms Showers, LLP located in Leesburg, Virginia at KDW@simmsshowerslaw.com or call 703.771.4671.
Legal Disclaimer: This Article and related material have been prepared specifically for INFORMATIONAL PURPOSES. It is not meant to provide legal advice or substitute for competent legal counsel that can address specifics of each church. Any reader is encouraged to seek appropriately trained and experienced professional legal counsel who specializes in tax exempt and church law prior to taking the step of incorporating and redrafting governing documents and policies for legal compliance and risk management.