IRS Warns Tax Pros of Evolving Phishing and Cloud-Based Schemes
The IRS and its Security Summit partners have issued a warning to tax professionals about new phishing scams and cloud-based schemes aimed at stealing sensitive taxpayer information. These threats have evolved and now target tax professionals year-round.
“We continue to see a barrage of email and related attacks designed to trick tax professionals and gain access to their sensitive information,” said IRS Commissioner Danny Werfel. “These attempts can be elaborate, multi-layered efforts that look convincing and can easily fool people. Tax professionals need to be wary and educate their employees to use extra caution to protect their clients and their businesses.”
The Security Summit, which includes tax professionals, industry partners, state tax agencies, and the IRS, has been working since 2015 to safeguard the tax system against identity theft and fraud. This summer, the Nationwide Tax Forum will focus on these security tips, with events in five cities across the U.S. The forums are three-day continuing education events for tax professionals, starting July 30 in Orlando and continuing through September 10 in San Diego.
Common threats tax professionals face include phishing and related scams. These scams trick recipients into disclosing personal information such as passwords, bank account numbers, credit card numbers, or Social Security numbers. Tax professionals and taxpayers should be aware of different phishing terms and what these scams might look like:
Phishing/Smishing: These emails or text messages attempt to trick the recipient into clicking a suspicious link, filling out information, or downloading a malware file. Often, these attempts are sent to multiple email addresses at a business or agency to increase the chances of success.
Spear Phishing: This specific type of scam targets individuals rather than large groups, delivering a realistic email known as a “lure.” These scams are trickier to identify because they single out individuals, making the email seem more legitimate.
Clone Phishing: This newer type of scam clones a real email message and resends it to the original recipient, pretending to be the original sender. The new message includes an attachment with malware or a link designed to steal information.
Whaling: Similar to spear phishing, whaling targets leaders or executives with access to secure large amounts of information. These attacks can also target payroll offices, human resources personnel, and financial offices.
Security Summit partners have observed tax professionals being particularly vulnerable to emails posing as potential clients. In the “new client” scam, criminals use this technique to trick practitioners into opening email links or attachments that infect computer systems with malware.
Regardless of the type of phishing attempt, tax professionals can protect themselves by being aware of these scams and looking for warning signs, such as:
- Unexpected emails or texts from a known or trusted source, such as a colleague, bank, credit card company, cloud storage provider, tax software provider, or government agency.
- Duplicate emails from a known source that contain new attachments or hyperlinks.
- Messages with an urgent tone, urging the receiver to open a link or attachment.
- Email addresses, numbers, or links that are slightly misspelled or have different domain names or URLs.
“There are major red flags that can be easily overlooked, so tax professionals and taxpayers should be extra careful and look closely when they receive an email from an official-looking source,” Werfel said.
Tax professionals using cloud-based systems should use multi-factor authentication to safeguard data. The Federal Trade Commission now requires practitioners to secure sensitive client information using multi-factor authentication, which provides an additional layer of security.
The IRS urges tax professionals who fall victim to these schemes or identity theft to quickly contact their IRS stakeholder liaison and report the incident to the appropriate state tax agency. This can help prevent these attacks from affecting others in the tax community.
Tax professionals should also understand the Federal Trade Commission’s data breach response requirements and report incidents affecting 500 or more people within 30 days. To assist with these requirements, the Security Summit has prepared a sample Written Information Security Plan.
For more information, tax professionals should review IRS Publication 4557, Safeguarding Taxpayer Data, and other resources like the Small Business Information Security: The Fundamentals guide by the National Institute of Standards and Technology. The IRS also encourages tax professionals to stay updated through subscriptions to e-News for tax professionals and social media sites.
Image: Depositphotos