Scammers have made millions of dollars defrauding U.S. taxpayers out of their hard-earned money, and the number of scams and victims are on the rise. The nonprofit sector isn’t immune from these issues, either. In February, the IRS, state tax agencies and the tax industry issued an urgent alert that email phishing scams have expanded beyond the corporate world, with school districts, tribal organizations and hospitals all being targeted and falling prey to schemes.

One typical example of a simple scam is an eight-person group arrested last week in Miami, who called taxpayers and impersonated aggressive revenue agents. They would threaten arrest and criminal prosecution if their demand for immediate wire payment of a fictitious tax debt wasn’t met. While not particularly sophisticated, the group allegedly bilked 7,000 victims out of approximately $8.8 million according to the Inspector General for Tax Administration. These schemes are successful in large part due to the general public’s fear of being audited by the IRS.

More recently, scams have progressed to include use of malware and email phishing scams as well as using text messages and social media contacts to request payments. One new and especially troubling email scheme involves the scammer impersonating an organization’s executives. The scammer disguised as an executive’s email account (called spoofing) sends requests for W-2 payroll information to persons in the organization’s accounting department. Once the scammer has the personal information of employees, it is used to steal their identity or is sometimes used to ask the payroll department to make wire transfers ostensibly on the employee’s behalf.

In response to the nearly 400 percent increase in phishing scams in 2016, the IRS issued a series of information releases on how to spot a scam. Last week, the IRS also released a fact sheet announcing that it has created a new page on its website to help taxpayers spot and report IRS impersonators. Some important tips for spotting scams:

• The IRS does not initiate contact with taxpayers via social media, email, text or telephone.
• The IRS will either send a letter via US postal service or make an in-person visit to your organization. Agents must present two forms of identification upon request – pocket commission credentials and a HSPD-12 Card.
• The IRS will never ask a taxpayer to make a payment to any other recipient than the U.S. Treasury.
• The IRS will not demand immediate payment without offering taxpayers the time to question or appeal the amount.
• The IRS does not require payment in the form of a prepaid debit card, wire transfer or ask for account numbers.
• The IRS will never threaten to involve local law enforcement or other agencies to arrest you for not paying.

Employers and organizations:

• Never confirm an employee’s W-2 information via email or text message.
• Never confirm information relating to refunds, filing status, transcripts or verify PIN information by email to IRS or tax software companies.

If you or your organization has received suspicious emails, you can forward them to: phishing@irs.gov

If the IRS is notified in time, it can take steps to protect employees from identity theft. To report W-2 data theft, click here.

To report an IRS impersonation scam, click here.