By: Christian Spencer, CPA, Partner

During 2016 a large number of nonprofit organizations received fraudulent e-mail requests to wire funds to fictitious vendors or to bank accounts not associated with legitimate vendors. This fraud scheme, also known as spear-phishing, generally commenced with an email that appeared to come from a high-level employee within the organization.  In response to this wide-spread fraud scheme, nonprofit organizations took a number of steps to strengthen internal controls.  These steps included providing enhanced employee training on the appropriate use of email and identifying imposters, updating internal controls on cash disbursements and requiring verbal confirmations for any wire transfers.

Although these fraudulent wire transfer requests continue, a new cyber threat has developed with in the past several months. Similar to the scheme from 2016, the fraudster has spoofed the organization’s web domain name to make an email message appear to originate from a high level employee. However in this new scheme the fraudster requests copies of all employees’ Form W-2 or a list of employees, their social security numbers, dates of birth, home addresses, and current salaries.  The fraudster may indicate he needs this information to assist in performing an annual compensation analysis, to help in determining annual bonuses, or to facilitate future salary increases.  However, the employee’s information may ultimately be used to file fraudulent personal income tax returns in order to obtain improper tax refunds.  In addition, by having this level of detailed personal information available, the imposter can easily work to steal an individual’s identify.  Once an individual’s identity is compromised, personal bank accounts can be accessed, improper credit established, and fraudulent purchases made.

Due to the long-lasting damage that can result from this scam, it is critical that organizations take steps to continue to secure sensitive employee information. These steps include the following:

    • Alert all individuals in your human resources department about this scam as the imposters are generally targeting employees in this department based on easily obtained job titles on your website or Form 990.
    • All requests for employee information from within your organization should be verbally confirmed with the requestor prior to providing that information.
    • Ensure there is an approved list of individuals authorized to request employee information and that this list is reviewed and updated throughout the year by the appropriate individual.
    • Revisit your policy on transmitting employee information by email. At a minimum, this information should be password-protected.  The password, which should be complicated in nature, should not be transmitted with the file and should not include easily determined words such as the organization’s acronym, the current or prior year, or the words “employee” or “payroll.”
    • Consider storing employee information on a secure network drive only accessible by certain authorized individuals with granted permission rights.
    • Continue to provide internal training throughout the year about how to identify fictitious emails and the importance of not activating embedded hot links within an email.
    • When needed for internal budgeting and analysis purposes, individual compensation information can be accumulated and provided without including potentially compromising details such as the individual’s full name, date of birth and social security number.

Christian Spencer, CPA is a partner in the Firm’s audit services department and can be reached at