Dangerous W-2 Phishing Scam: Reporting Update

By: Anders Erickson, CISA, CISSP, CRISC

As we reported on March 7, 2017, the IRS has provided notice of a dangerous email scam that is impacting employers, including tax exempt entities. The scammer poses as an internal executive requesting employee Form W-2 and Social Security numbers. The IRS has established a process that will allow employers and payroll service providers to quickly report any data losses related to the W-2 scam. Read the IRS update, Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers for more information. If notified in time, the IRS can take steps to prevent employees from being victimized by identity thieves filing fraudulent returns in their names. There also is information about how to report receiving the scam email even if you did not fall victim.

Eide Bailly has cyber security and computer forensic experts that can help organizations prevent or respond to these and other cyber threats.  Please contact your Eide Bailly representative or Eide Bailly’s Cyber Security Leader, Anders Erickson at 208.383.4731 or email aerickson@eidebailly.com for more information.

2016 Form 990 and Instructions Changes

By: Laurie Hanson

The Form 990 and its many schedules remained largely unchanged for tax year 2016. The changes can be summarized pretty quickly, and include the following:

  1. For returns that cannot be electronically filed, the IRS previously considered returns that were delivered via USPS, FedEx and UPS as timely filed if postmarked at least by the due date of the return. The IRS has added DHL Express to this listing. Whenever a return is mailed to the IRS, regardless of the service used, we encourage you to obtain and retain the receipt for proof of mailing. That way, if the IRS later assesses a penalty for late filing, you’ll have proof that the return was filed on time and will be able to easily have the penalties abated.
  2. For tax years beginning after 12/31/15, the first extension for Form 990 and 990-EZ will cover a six-month period. A second extension is no longer available. Previously, two three-month extensions were available. Form 990 is due 4 ½ months after year end. The extension makes the return due 10 ½ months after year end. Thus, the final filing due date with extensions remains unchanged.
  3. The publicly supported charity definition has been updated to include an agricultural research organization under Internal Revenue Code (IRC) 170(b)(1)(A)(ix). This only pertains to IRC 501(c)(3) organizations that are exempt as a public charity and operate as agricultural research organizations. In other words, it doesn’t affect most organizations.
  4. Goods or services with insubstantial value have been indexed for inflation. The value of items valued at $10.60 or less that bear the organization’s name or logo and are given to donors in exchange for a donation need not be disclosed to the donor.
  5. For Hospitals, a few minor changes have been made to Schedule H to better reflect compliance with the final regulations under 501(r)..
  6. Form 990-T has been updated to include a specific line for tax on hospitals that are not compliant with IRC 501(r) regulations. The tax is not new. Only the line on the form is new.

Beyond Form 990 itself, you may be interested in the following nonprofit related tax issues:

If your organization hires veterans, you may be eligible for a credit against the employer portion of social security tax on wages paid to all employees. The credit applies to qualified first-year wages paid to qualified veterans who began work for the organization after December 31, 2014 and before January 1, 2020. The qualified veteran must be performing services in activities related to the purpose or function constituting the basis of the organization’s tax exempt status under IRC 501. The credit is claimed on Form 5884-C.

If your organization has foreign bank accounts with an aggregate value exceeding $10,000 at any time during the calendar year, Form 114 FinCEN, Report of Foreign Bank and Financial Accounts (FBAR) is required to be filed by April 15. A six-month extension is available. Previously, this form was due June 30 with no extensions.

Please feel free to contact your Eide Bailly nonprofit tax advisor to discuss any of the above items.

Utilizing a Single Member Limited Liability Company to Benefit your Nonprofit

By: Mike Herold

Many nonprofit organizations utilize single member limited liability companies (SMLLCs) in their operations. SMLLCs are popular vehicles for holding real estate and are an easy way to conduct separate activities in different locations. For example, a skilled nursing or senior care corporation might consist of various locations or centers each held within its own SMLLC. This provides a vessel for managing the operations and profitability of each location more effectively and accurately.

Because a SMLLC is considered a disregarded entity for federal tax purposes, the IRS allows the SMLLC to operate as a tax exempt entity without seeking its own application for tax exempt status. This makes the SMLLC a relatively low cost entity to create while affording the parent an additional level of liability protection through an isolating entity.

For more information on SMLLCs and tax exemption, read the full article here.

Dangerous W-2 Phishing Scam Evolving, Targets Include Nonprofits

By: Anders Erickson, CISA, CISSP, CRISC

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen referring to the phishing scam resulting in theft of W-2 information across many industries including nonprofit organizations.

Cyber criminals are using spoofing techniques to disguise an email making it appear as if it is coming from an executive within the organization so that the recipient (usually in the payroll or HR department) feels compelled to respond. The cyber-criminal is asking for a list of employees with their W-2s and intend to use this information in order to fake a tax return and fraudulently collect an employee’s return before they have a chance to file themselves. Cyber criminals may also be asking to wire money as a part of this scam and continue to evolve their scams.

If you believe that your organization has been a victim of these types of scams you can take many steps at the organization level:

  • Report the W-2 thefts to the IRS immediately so that they can begin to help protecting the employees from tax-related identity theft. Forward to phishing@irs.gov and place “W2 Scam” in the subject line.
  • File a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.

If you are an employee who’s W-2 has been stolen:

  • You should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
  • File a Form 14039, Identity Theft Affidavit, if your tax return gets rejected because of a duplicate Social Security number and/or if instructed to do so by the IRS.

If your organization is lucky enough to have avoided such scams so far, there are measures to take to protect and prevent attacks ahead of time.

  • Consult cyber security experts about how to establish a culture of security at your organization
  • Enact policies and procedures safeguarding the handling of W-2s during tax season
  • Encourage your employees to be safe online and avoid to scam site fronting as Tax Return eServices sites.

Eide Bailly has cyber security and computer forensic experts that can help organizations prevent or respond to these and other cyber threats.  Please contact your Eide Bailly representative or Eide Bailly’s Cyber Security Leader, Anders Erickson at 208.383.4731 or email aerickson@eidebailly.com for more information.