Ministries beware: An email scheme, designed to coincide with tax season, asks payroll and human resource professionals to disclose employees’ personal information. Think you wouldn’t fall for such a scam? You might, if the email looks as if it came from someone in your ministry.
According to an Internal Revenue Service alert, the phishing emails often contain the actual name of someone in your organization, such as a board member or pastor. This “spoofing” technique makes the request appear legitimate. Scam emails may look like these examples:
IRS Criminal Investigation already is reviewing several cases in which organizations unwittingly shared SSNs with cybercriminals. These email schemes are designed to look like official IRS communications, and ask organizations to give out information about refunds, filing status, personal information, or to verify PIN information. Be aware that the IRS generally does not initiate contact with taxpayers by email, text message, or social media channels to request personal or financial information. You can read more about the new consumer alerts issued by the IRS here.
If something looks suspicious, look carefully at the sender’s email address. At first glance, it may appear authentic. You may see email@example.com, when you should see jdoe@‹yourministrydomain›.org. When in doubt, don’t click anything—verify that the person claiming to send the email actually sent it by checking in person or with a phone call. You can also set a policy for financial data requests to be made only in person. To protect sensitive data, avoid emailing employee information unless using a secure transfer method.
If you receive a W-2 phishing scam email, forward it to firstname.lastname@example.org with “W2 Scam” in the subject line.
If your ministry did fall victim to a phishing scam, time is critical. The IRS has created avenues for businesses and payroll service professionals to report if they lost data to this scam or if they only received the email without falling victim. Read Form W-2 / SSN Data Theft: Information for Businesses and Payroll Service Providers from the IRS.
Updated: October 2022
The information in this article is intended to be helpful, but it does not constitute legal advice and is not a substitute for the advice from a licensed attorney in your area. We strongly encourage you to regularly consult with a local attorney as part of your risk management program.