We want you to be aware of a new potential risk affecting nonprofits. Last year, the Internal Revenue Service (IRS) was alerted to a phishing scam involving W-2 forms, in which for-profit companies were being targeted for large-scale identity theft. The IRS has now issued a secondary warning, alerting school districts, tribal organizations, and nonprofits to the scam, as it has evolved beyond the corporate sector and is now threatening these groups.
This threat is characterized by fake email alerts, which are sent to high-level corporate employees, as well as individuals involved in payroll and human resources at the organization. In these emails, W2 forms, earnings summaries, and other employee-sensitive information may be requested. In some instances, a follow-up email is also sent, asking that funds be electronically transferred to cover payroll and other miscellaneous expenses.
As a nonprofit ourselves, we know the importance of protecting against dangerous cyber-security issues, which is why we want to make sure you’re aware of the best internet safety practices. The weakest link is often your employees or volunteers, who are just trying to be helpful, so it’s critically important that any and all individuals with access to your computer system are adequately trained in cyber safety.
Anyone with access to this information should know not to share login and password information, and to not forward any sensitive information without confirming the request with a supervisor. We routinely send “test” phishing emails to our staff to make sure that they know not to provide login or password information or to forward sensitive information, without confirming directly with the requestor that they really are who they say they are. Those who fail the test are subject to disciplinary action for potentially breaching company security.
Remember, technology may not always be there to protect you, and unless your employees and volunteers understand their roles and responsibilities in safeguarding sensitive data, your nonprofit remains at risk. Stay safe and train your employees and volunteers to recognize common cyber-crime and information security risks, and stay up to date on IRS announcements like this on their website’s news feed.
Risk Alerts are provided as a resource to nonprofits insured by Nonprofits Insurance Alliance to help create awareness about possible areas of exposure to their organization.
NIA is a group of insurance cooperatives, insuring 501(c)(3) nonprofit across the country. If you are with a 501(c)(3) nonprofit organization and would like to get a quote for coverage, Get a Quote.
