The Internal Revenue Service and its partners are cautioning tax professionals to beware of the latest schemes to steal taxpayer information through phishing emails.
The IRS and its Security Summit partners in the tax prep industry and state tax authorities have been doing a public awareness campaign this summer aimed at tax pros and the risks they face from cybercriminals. On Tuesday, they sent a warning about evolving email and cloud-based schemes to steal taxpayer data. They’re continuing to see instances where tax pros have been receiving identity theft phishing emails from scammers posing as potential clients. The cybercriminals then trick tax practitioners into opening email links or attachments that infect their computer systems with the potential to steal client information.
The Security Summit is also warning tax pros who are using cloud-based systems to store and prepare tax returns and information to make sure they use multifactor authentication methods in light of recent attacks. Using a phone call, text message or tokens, they can avoid potential vulnerabilities that emerge when authentication is done just through email, which is easier for identity thieves to access.
“Identity theft scammers continually try new schemes to steal client personal and financial information from tax professionals. We continue to see a barrage of emails aimed at tax professionals trying to trick them into providing valuable access to identity thieves,” said IRS Commissioner Chuck Rettig in a statement. “And we continue to urge people to use multifactor authentication, including those using cloud-based services. Constant vigilance is necessary, not just during tax season but year-round. We urge tax pros, both large operations and smaller ones, to consider these invaluable recommendations to help protect their clients and themselves.”
Phishing emails or SMS/texts (known as “smishing”) try to trick recipients into disclosing personal information such as passwords, bank account numbers, credit card numbers or Social Security numbers. Tax pros are a common target of these schemes.
The scams may differ in some respects, but they generally have two traits:
- They appear to come from a known or trusted source, such as a colleague, bank, credit card company, cloud storage provider, tax software provider or even the IRS and other government agencies.
- They create a false narrative, often with an urgent tone, to trick the receiver into opening a link or attachment.
One type of phishing email is called spear phishing. As opposed to a general phishing email, scammers take extra time to identify their victim and craft a more enticing phishing email known as a lure. Scammers often use spear phishing to target tax professionals.
In a recurring successful scam, criminals posed as potential clients, exchanging several emails with tax pros before following up with an attachment that they claim is their tax information. Once the tax pro clicks on the embedded URL and/or opens the attachment, malware secretly downloads onto their computers, giving the criminals access to passwords to client accounts or remote access to the computers themselves.
Identity thieves then use this malware, known as a remote access trojan, to take over the tax professional’s office computer systems, identify pending tax returns, complete them and electronically file them, changing only the bank account information to steal the tax refund.
This scam gained energy as many tax professionals worked remotely and communicated with clients over email versus in-person or over the telephone because of the pandemic.
In the past, criminals have used such ransomware attacks to shut down different companies. Criminals can employ similar, smaller-scale tactics against tax pros. When the unsuspecting tax professional opens a link or attachment, the malware attacks the tax pro’s computer system to encrypt files and the thieves hold the data for ransom.
Another emerging scheme the IRS has seen involves weak security from tax professionals using cloud-based systems to store client data. While many cloud-based systems are secure, tax pros who rely on them should ensure they’re using strong multifactor authentication to avoid letting cyberthieves access their sensitive information.
The IRS has learned of multiple cases — frequently involving smaller tax prep firms or businesses — where individual accounts on cloud-based platforms have been compromised. Identity thieves access these and then use existing data from taxpayer returns to file new tax returns seeking refunds, frequently by mail.
These cloud-based accounts are more vulnerable when tax pros don’t implement strong multifactor authentication to authenticate who is using the platform. The IRS and its partners recommended the following steps:
- Use two-factor or multifactor authentication options offered by tax prep providers or storage providers to protect client accounts even if passwords were inadvertently disclosed.
- Keep anti-virus software automatically updated to prevent scams that target software vulnerabilities.
- Use drive encryption and regularly backup files to curb theft and ransomware attacks.
For more information, see IRS
