Tax Season Brings a Surge in Phishing Scams Targeting Nonprofit Staff

by

Every year, tax season creates the perfect storm for cybercriminals. Staff are expecting W-2 forms, payroll reminders, donation receipts, and IRS-related emails — and attackers know it.

Security teams are warning that phishing campaigns are spiking right now, timed specifically to exploit nonprofit employees and finance teams who are handling sensitive tax and payroll information. According to ConnectWise’s security monitoring, attackers are increasingly impersonating HR, payroll providers, executives, and even the IRS to trick staff into handing over W-2 data, login credentials, or banking information.

This is not random spam. These are carefully timed messages designed to look routine and urgent.

Why Tax Season Is Prime Time for Attackers

During January through April, nonprofits process:

  • W-2 and 1099 forms for staff and contractors
  • Donation receipts and tax acknowledgment letters
  • Payroll changes and benefits updates
  • Financial reporting tied to grant compliance and audits

Because these communications are expected, phishing emails blend in easily. A fake “W-2 correction,” “updated payroll document,” or “IRS verification request” doesn’t raise the same red flags it would in July.

ConnectWise reports that many of these campaigns use subject lines like:

“Updated W-2 Form Available”
“Payroll Document Requires Review”
“IRS Tax Statement – Action Required”

These messages often link to realistic login pages that mimic Microsoft 365, payroll portals, or HR systems. Once credentials are entered, attackers move quickly to access email accounts, payroll records, and donor data.

What Makes Nonprofits Especially Vulnerable

Nonprofits are frequent targets because:

  • Finance and HR roles often overlap, meaning fewer checkpoints
  • Staff are busy and may not have dedicated cybersecurity training
  • Organizations rely heavily on email and cloud tools like Microsoft 365 and Google Workspace
  • Sensitive data (SSNs, donor records, banking info) is readily accessible to small teams

Red Flags Staff Should Watch For

Encourage your team to pause if an email:

  • Asks for W-2, SSN, or payroll data via email
  • Creates urgency around “tax deadlines” or “IRS action”
  • Links to a login page that doesn’t match your usual payroll or HR portal URL
  • Requests secrecy or bypassing normal process

Practical Steps Nonprofits Can Take This Week

Tax-season phishing is predictable, which means defenses can be simple and effective:

  1. Send a quick internal reminder to staff about W-2 and IRS phishing scams
  1. Require verbal or in-person confirmation for any request involving payroll or tax documents
  1. Enable multi-factor authentication (MFA) on email and payroll systems
  1. Review who has access to employee tax and donor financial data
  1. Report suspicious emails to your IT provider instead of deleting them

Why This Matters Beyond One Email

When attackers gain access during tax season, the impact goes beyond stolen credentials. Organizations have reported:

  • Fraudulent payroll deposits
  • Stolen employee tax records
  • Compromised donor databases
  • Business email compromise used to trick vendors and partners

Key Takeaway

Tax season gives phishing attackers the perfect disguise. Because nonprofit staff expect W-2s, payroll updates, donation receipts, and IRS-related messages, fraudulent emails slip past normal suspicion by looking routine and urgent. By reminding staff that the IRS never asks for tax data by email, verifying any payroll or W-2 request through a second channel, enabling MFA, and reinforcing a “pause and check” culture, nonprofits can stop these predictable scams before they turn into stolen tax records, compromised donor data, or fraudulent payroll activity.

Sources for more information about keeping your nonprofit safe during tax season.

Contact Us