Phishing Scam Targets Employees at Schools, Hospitals, Non-Profits and Others by Joseph L. Saka, CPA/PFS

Posted on March 09, 2017 by Joseph Saka

Businesses, non-profits, federal and state entities and any organization that issues W-2s to their workers must be on alert for a new email phishing scam that the IRS has identified as “one of the most dangerous” scams resulting in “large scale theft of sensitive data.”


In this scheme, cybercriminals use spoofing techniques to disguise emails to appear as if they are from an organization executive. They send the emails to employees in the payroll or human resources departments, requesting a list of all of the organization’s employees and their Forms W-2.  Workers, who receive the email and assume it came from an individual within their organizations, mistakenly comply with the request and ultimately put their co-workers at risk of identity theft.  In a new twist, cybercriminals posing as organization employees now ask victims to make wire transfers to fraudulent accounts, which can result in thousands of dollars in losses.


According to the IRS, this scam has been circulating to a broad range of organizations, including school districts, tribal casinos, chain restaurants, temporary staffing agencies, healthcare and shipping and freight. In addition, businesses that received the scam email last year also are reportedly receiving it again this year.


How Entities Can Protect Themselves

The first step organizations should take to avoid becoming victims of an email scam is to educate their employees about cyber risks and the various forms of cyberattacks. Protecting sensitive data and keeping it out of the hands of criminals also requires organizations to put into place appropriate security policies and internal controls.


When asked to provide confidential information via telephone, text or email, employees should think twice before responding. Taking an extra minute to call the person claiming to have sent the message or creating a new and separate email to confirm his or her request will go a long way toward keeping organizations, their data, their people and their systems safe.


About the author: Joseph L. Saka, CPA/PFS, CEO of Berkowitz Pollack Brant, where he provides a full range of income and estate planning, tax consulting and compliance services, business advice, and financial planning services to entrepreneurs, high-net-worth families and family companies and business executives in the U.S. and abroad. He can be reached at the firm’s Miami office at (305) 379-7000 or via e-mail at