8/10/2021
The Security Summit warns tax professionals to beware of evolving phishing scams that use various pandemic-related themes to steal client data in a continuing twist on a common scam, as they continue to see instances where tax professionals, especially those working remotely, have been vulnerable to identity thieves posing as potential clients this year.
The criminals trick practitioners into opening email links or attachments that infect their computer systems.
“Identity thieves have been relentless in exploiting the pandemic and the resulting economic pain to trick taxpayers and tax professionals to disclose sensitive information,” said IRS Commissioner Chuck Rettig. “Fighting back against phishing scams requires constant vigilance, and we urge tax pros to take some basic steps to help protect their clients and themselves.”
Phishing emails or SMS/texts (known as “smishing”) attempt to trick the person receiving the message into disclosing personal information such as passwords, bank account or credit card numbers, or Social Security numbers. Tax professionals are a common target.
While the scams may differ in themes, they typically have two traits:
They appear to come from a known or trusted source, such as a colleague; bank or credit card company; cloud storage or tax software provider, or even the IRS.
They tell a story, often with an urgent tone, to trick the receiver into opening a link or attachment.
A specific kind of phishing email that is often used to target tax professionals is called spear phishing. Rather than the disorganized nature of general phishing emails, scammers take time to identify their victim and devise a more tempting phishing email, known as a lure.
In a reoccurring and very successful scam this year, criminals posed as potential clients, exchanging several emails with tax professionals then following up with an attachment they claimed was their tax information. This scam was popular as many practitioners worked remotely and communicated with clients over email versus in-person or over the telephone because of COVID.
Once they clicked on the URL or opened the attachment, malware secretly downloaded onto their computers, giving thieves access to passwords to client accounts or remote access to the computers themselves. Thieves then used this malware, known as a remote access trojan (RAT), to take over the tax professional’s office computer systems, identify pending tax returns, complete them and e-file them, changing only the bank account information to steal the refund.
International criminals have used a ransomware attack to shut down a variety of companies in recent months. Criminals use similar, smaller scale tactics against tax professionals. When the unsuspecting tax professional opens a link or attachment, malware attacks their computer system, encrypts files and holds the data for ransom.
These scams highlight the importance of the basic security steps recommended by the Security Summit to protect data:
Using two-factor (2FA) or multi-factor authentication (MFA) options offered by tax preparation and storage providers protects client accounts even if passwords are accidentally disclosed.
Keeping anti-virus software automatically updated helps prevent scams targeting software weaknesses.
Using drive encryption and backing up files regularly helps stop theft and ransomware attacks.
Securing their networks to protect taxpayer data is a tax professionals' responsibility. The IRS recently updated Publication 4557, Safeguarding Taxpayer Data to help them defend against phishing scams and better protect taxpayer information. The July 2021 version contains some of the latest suggestions such as using the multi-factor authentication option and helping clients get an Identity Protection Pin.
Resources: IRS Publication 4557, Safeguarding Taxpayer Data
Small Business Information Security: The Fundamentals by the National Institute of Standards Technology
Publication 5293, Data Security Resource Guide for Tax Professionals