“Increasingly, tax professionals are being targeted by identity thieves. These criminals — many of them sophisticated, organized syndicates — are redoubling their efforts to gather personal data to file fraudulent federal and state income tax returns.”
That’s a statement from the IRS to tax professionals everywhere.
As a tax professional, that should put you on your guard.
In response to growing cybercrime, the IRS formed the Security Summit in 2015. The summit is a partnership between the IRS, state tax agencies, and the private-sector tax industry. Their goal is to share information about new attacks as well as advice on how to protect yourself and your clients.
Two-Stage Email Scam Specifically Targeted to Tax Pros
A recent alert described a new type of email scam targeted at tax professionals. The goal of the current scam is to collect sensitive information that would allow criminals to prepare fraudulent tax returns.
The scam involves phishing. If you don’t know, phishing is when a criminal sends emails that appear to be from reputable companies or individuals. The goal is to induce the recipient to reveal personal information (passwords, user names, credit card numbers, etc) that can then be used to commit fraud or hacking activity of some kind.
This particular scam occurs in two stages. The first email from the phisher makes a common statement that tax professionals often see this time of year, such as "I need a preparer to file my taxes."
If the tax professional takes the bait on the first email, then the cybercriminal sends a second. This email typically contains an embedded web address or a PDF attachment with an embedded web address.
The Result of Falling for This Attack
Phishing emails often appear legitimate. Sometimes they will use the name of a legitimate person or organization, and even the name of a friend or colleague that the recipient will recognize. When this happens, it’s often a sign that the friend or colleague has already been a victim of the attack. When this occurs, it’s often because the hacker has taken over their account and is sending their phishing emails from it.
By clicking on the web address or the PDF, the tax pro may believe they are downloading a potential client's tax information. In truth, the hackers are collecting the preparer's email address and password and possibly other information.
How Can You Protect Yourself and Your Clients?
Stay suspicious. Be wary of any email from someone you don’t know (and sometimes even from someone you do know). If the requests in the email seem out of character or unusual, don’t respond. Although criminals are getting better at this particular type of crime, common signs of a phishing scheme are bad grammar or unusual wording. Additionally, if there is a link, hover your mouse over the link (without clicking!) to see if the web address that the link points to is legitimate. Again, the more sophisticated criminals are getting better at hiding their fake links, but often there is a mismatch.
Be informed. To stay ahead of the game, cybercriminals are constantly changing and updating their tactics. Stay informed. Bookmark the IRS Protect Yourself; Protect Your Clients page. Register for e-News for Tax Professionals, follow the IRS Twitter feed and their Facebook social media page for tax professionals.
Seek expert advice. The IRS recommends creating strong internal security policies and following security expert recommendations on what to do about unsolicited emails, especially those containing links or file attachments. They also suggest that you never respond to or click on a link in an unsolicited email, especially from someone you don’t know.
Use technology. Use strong spam filters and antivirus software. Ensure software updates and patches are performed frequently. Encrypt company and client information and only use secure file sharing. If you’re unsure about how to proceed with some of these steps, call in vetted security and IT professionals to help.
Cybercriminals are becoming increasingly sophisticated. You’ll have to stay vigilant to safeguard yourself, your business, and your clients.