A powerful scam whose targets were exclusively businesses is now being used against nonprofit organizations and others, according to Connecticut Better Business Bureau.

The Internal Revenue Service (IRS), says the “W-2” scam is carried out by criminals who disguise an email to make it look like it came from a business executive. The IRS says the phony email is sent to the company’s accounting or human resources department, typically asking for a list of all of the company’s W-2 tax forms, employees’ dates of birth and Social Security Numbers.

“Criminals are focusing on consumers’ personal information because it has a potentially much larger payout than credit card fraud,” according to Connecticut Better Business Bureau spokesman, Howard Schwartz.

“There is no question that a single credit card can be extremely valuable, however, personal information allows the creation of several fake credit card accounts, the ability to obtain official documents and commit income tax-return fraud.

This W-2 scheme came to light in 2016, and has since developed a new twist in which the cybercriminal subsequently sends an additional email, asking that a wire transfer be made to a specific account outside of the company.

New targets of the scam include, school districts, healthcare providers, chain restaurants, temporary staffing agencies, tribal casinos and delivery companies.

The Connecticut Department of Revenue Services says the fake emails may include wording such as:

“Can you send me the updated list of employees with full details (Name, Social Security Number, date of birth, home address and salary),” or “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”

How to Prevent W-2 theft
Re-evaluate workplace procedures – The simplest way for criminals to run these operations is if a business lacks the checks and balances necessary to protect employees’ and clients’ information and requests for money transfers by untraceable means.

Meet with all employees – In the past, this type of activity was not something companies or non-profits gave much thought to. Make sure all employees understand how these schemes work.

Review written policies – Draw up new organizational policies to prevent the W-2 and similar office scams from succeeding. This will help not only existing employees, but also others who join your organization so that they too will be on their guard.

Some communications are safer when conducted by telephone – Executives may not be available on a given day, for example, when they are on the road. Consider a policy that requires voice communications to authenticate any requests for personal information or currency transfers.