February 23, 2017; KMSP-TV (Minneapolis-St. Paul)

Your HR or finance office receives an email asking you to respond quickly with a PDF or list of your employees’ W-2 information. It might say, “Can you send me the updated list of employees with full details (name, SSN, date of birth, home address and salary)” or “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.” How should you respond?

Some Minneapolis area schools, hospitals, and nonprofits have been receiving emails like this. A few have replied with the requested information, falling victim to an online scam that has migrated from the for-profit world to the nonprofit and governmental sectors. In fact, a version of this scam was responsible for the discovery of Democratic National Committee official emails that ended up being published on WikiLeaks. Computer forensic expert Mark Lanterman said, “In 2016 I was retained by four of the top ten law firms in Minneapolis because they fell victim to a W-2 scam.”

The Bloomington, Minnesota school district was victimized by the scam when it emailed W-2 information for its 2,800 employees in response to a scam email. The employee responsible is currently on administrative leave.

The danger of an employee’s W-2 information falling into the wrong hands is significant. With name, address, salary, and social security numbers, a thief has all the basic information they need to build a complete profile and file a false tax return, steal an employee’s identity, apply for credit, or make purchases. Stolen information is also valuable as a product, often selling for hundreds of dollars per profile.

The IRS website has a page addressing W-2 scams and what can be done if an employer or employee falls victim. In addition to alerting the IRS, there is an email address, [email protected], set up as a clearinghouse for victims to notify state tax agencies.

As with all online scams, the first lines of defense are common sense and strong administrative controls. Your organization’s confidential information is an asset that should be safeguarded by allowing as few people as possible to have access to it. Authorized personnel should be trained on the proper handling of confidential information and encouraged to employ proper security safeguards for both paper and digital records. Before replying to an email requesting confidential information, authorized personnel should confirm who is asking and why. This is especially true when the request has not been encountered before.

Most nonprofits won’t be solicited by W-2 scammers, and most that are will ignore the emails. Unfortunately, as the Bloomington School District and the DNC learned, it only takes one slip to open the door to potentially disastrous consequences.—Michael Wyland