Ministries beware: An email scheme, designed to coincide with tax season, asks payroll and human resource professionals to disclose employees’ personal information. Think you wouldn’t fall for such a scam? You might, if the email looks as if it came from someone in your ministry.
According to an Internal Revenue Service alert, the phishing emails often contain the actual name of someone in your organization, such as a board member or pastor. This “spoofing” technique makes the request appear legitimate. Scam emails may look like these examples:
IRS Criminal Investigation already is reviewing several cases in which organizations unwittingly shared SSNs with cybercriminals. These email schemes are designed to look like official IRS communications, and ask organizations to give out information about refunds, filing status, personal information, or to verify PIN information. Be aware that the IRS generally does not initiate contact with taxpayers by email, text message, or social media channels to request personal or financial information. You can read more about the new consumer alerts issued by the IRS here.
If something looks suspicious, look carefully at the sender’s email address. At first glance, it may appear authentic. You may see firstname.lastname@example.org, when you should see jdoe@‹yourministrydomain›.org. When in doubt, don’t click anything—verify that the person claiming to send the email actually sent it by checking in person or with a phone call. You can also set a policy for financial data requests to be made only in person. To protect sensitive data, avoid emailing employee information unless using a secure transfer method.
If you receive a W-2 phishing scam email, forward it to email@example.com with “W2 Scam” in the subject line.
Updated: December 2019
The information in this article is intended to be helpful, but it does not constitute legal advice and is not a substitute for the advice from a licensed attorney in your area. We strongly encourage you to regularly consult with a local attorney as part of your risk management program.