Dangerous W-2 Phishing Scam Evolving, Targets Include Nonprofits

By: Anders Erickson, CISA, CISSP, CRISC

“This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen referring to the phishing scam resulting in theft of W-2 information across many industries including nonprofit organizations.

Cyber criminals are using spoofing techniques to disguise an email making it appear as if it is coming from an executive within the organization so that the recipient (usually in the payroll or HR department) feels compelled to respond. The cyber-criminal is asking for a list of employees with their W-2s and intend to use this information in order to fake a tax return and fraudulently collect an employee’s return before they have a chance to file themselves. Cyber criminals may also be asking to wire money as a part of this scam and continue to evolve their scams.

If you believe that your organization has been a victim of these types of scams you can take many steps at the organization level:

  • Report the W-2 thefts to the IRS immediately so that they can begin to help protecting the employees from tax-related identity theft. Forward to phishing@irs.gov and place “W2 Scam” in the subject line.
  • File a complaint with the Internet Crime Complaint Center (IC3,) operated by the Federal Bureau of Investigation.

If you are an employee who’s W-2 has been stolen:

  • You should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
  • File a Form 14039, Identity Theft Affidavit, if your tax return gets rejected because of a duplicate Social Security number and/or if instructed to do so by the IRS.

If your organization is lucky enough to have avoided such scams so far, there are measures to take to protect and prevent attacks ahead of time.

  • Consult cyber security experts about how to establish a culture of security at your organization
  • Enact policies and procedures safeguarding the handling of W-2s during tax season
  • Encourage your employees to be safe online and avoid to scam site fronting as Tax Return eServices sites.

Eide Bailly has cyber security and computer forensic experts that can help organizations prevent or respond to these and other cyber threats.  Please contact your Eide Bailly representative or Eide Bailly’s Cyber Security Leader, Anders Erickson at 208.383.4731 or email aerickson@eidebailly.com for more information.

Expense Reports – Best Practices for Fraud Avoidance

doug cashBy: Doug Cash, MBA, CFE, CFI, CFCI

Fraudulent expense reporting by employees continues to be a common threat to operations. A recent survey by the Association of Certified Fraud Examiners estimated the median loss from expense reimbursement fraud was $30,000 per year. This is a considerable amount of money for many NPOs!

As with most areas of internal controls, to prevent and/or detect this type of scheme, start with a solid, clear reimbursement policy and then review reimbursement requests to ensure the policy is being followed. Do you have to review 100%? Not likely. Reviewing on a sample basis, as long as the employees are aware this is happening, should be adequate to ensure the policy is being followed. By setting up this “perception of detection”, employees will be less likely to commit a fraud due to the increased chance of their misdeeds being uncovered.

Elements of a strong reimbursement policy include:

  • Timely reporting – reimbursement requests should be submitted within 30 days of the expense
  • Appropriate expenditures – the policy should be very clear as to expectations regarding reimbursement for alcoholic beverages, family members, expensive hotels and restaurants, excessive tipping
  • Proper documentation – if it is not feasible to require original receipts, have the employees responsible for retaining the original receipts so that they can be produced if a reimbursement request is chosen for review
  • Minimum receipt threshold – set a reasonable level, such as $25 or $50, below which a receipt is not required for reimbursement
  • Chargeback provisions – if undocumented expenses are found during the review process, have a clear policy regarding potential charge-back to the employee

We mentioned earlier that testing 100% of reimbursement requests may not be necessary, depending on the nature of your operations and available staff time for review. In addition to reviewing reimbursement requests in detail, which should always include all original receipts, you might consider running a report to evaluate and identify the employees having the most charges below the minimum threshold.

Prevention is always less expensive than detection and Eide Bailly can help protect your organization. Our forensic teams enjoy assisting with preventative measures including all areas of internal controls. Contact us today!

 

Fraud: Current Trends & Information

Jeremy BenewaldBy: Jeremy Bendewald

Trillions of dollars of revenue worldwide is lost due to fraud. According to the Association of Certified Fraud Examiners 2016 Report to the Nations on Occupational Fraud and Abuse, 5 percent of annual revenues are lost to fraud–that is $3.7 trillion worldwide. While the median loss was $150,000, 23 percent of cases involved losses of greater than $1 million. Typically, smaller organizations suffer the larger losses. It is important to be aware of the current trends in fraud so your company can avoid occupational fraud and abuse.

In 83 percent of fraud cases, the fraud involved asset misappropriation. Most frequently victimized were private companies and those in the banking and financial services industry. While employees were typically the perpetrators, owners and executives were the ones who generated the largest fraud losses. The primary weakness in many of these cases was lack of internal controls.

An example of poor controls in a small business can be seen in an actual fraud examination performed by Eide Bailly. The bookkeeper for a tile company was responsible for daily tasks including collecting sales receipts, completing deposit slips and making deposits. After a period of time, the bookkeeper began to remove checks and hid them in her desk. Later, when the daily sales included an amount of cash that matched one or several of the checks which had been set aside,the bookkeeper exchanged the cash for checks and made the daily deposit. No one in the company was aware the cash was missing until it was discovered revenue numbers would not reconcile. By the end of the scheme, the business lost more than $150,000.

Some simple controls could have prevented this scheme. Click here to learn more about business considerations