Security Summit to Tax Pros Don’t Take the Bait

It’s the new normal: All of us in the income tax industry have to be aware that somewhere, at any time, there may be someone out in cyberspace who is actively trying to steal the confidential data of our clients and our businesses.

Fight back.

Refuse to fall victim to the scams and ruses used by identity thieves and fraudsters. We have help in that from the Security Summit, a joint effort of the Internal Revenue Service, state tax agencies, and tax industry leaders to develop winning strategies against data theft and tax fraud.

The Security Summit has kicked off an awareness campaign termed “Don’t Take the Bait,” that will run through mid-September to help counter the threat.

The latest assault involves “spear phishing,” bogus emails often tailored to individual tax pros that attempt to fool the recipient to click on links that secretly install malware or other software that can steal data. These fake messages can appear to be from a legitimate client of the tax professional or from their tax software provider.

“We are seeing repeated instances of cybercriminals targeting tax professionals and obtaining sensitive client information that can be used to file fraudulent tax returns. Spear phishing emails are a common way to target tax professionals,” said IRS Commissioner John Koskinen. “We urge practitioners to review this information and take steps to protect themselves and their clients.”

Trend Micro, a trusted security software company, says some 91 percent of all cyberattacks and their resulting data breaches start with a spear phishing email.

Regular phishing emails target a wide group of users in hopes of snaring a few victims. Spear phishing, however, is a very sophisticated technique that sends messages that appear to be from a trusted source and target very specific recipients. But with most cyberattacks, there are some ways to tell if a suspect email is a scam.

Example of Phishing Email

This image is a shot of an actual email sent to a tax pro during the 2017 filing season. At the top of the image, note the sender used “Tax return” in the subject line to impersonate a potential client and to bait the tax preparer. The sender did their research, obtaining the name and email address of the tax pro.

But there are still signs that this isn’t from a real client. The text is conversational but ungrammatical and oddly written: “hope your doing good and actively involved in the tax filing season.” These all suggest a sender who has English as a second language. Finally, note that the hyperlink has a “tiny” URL to mask the true destination—another red flag.

There are variations on this theme. In one version, the prospective “client” asks the tax professional to open an attachment to see his tax information needed to prepare a return. In reality, that attachment downloads malware that tracks the preparer’s keystrokes, stealing passwords and other sensitive data. Other variations may appear to be from the IRS e-Services or from the tax preparer’s tax prep software provider.

One common thread in most spear phishing emails is a “call to action,” which encourages the recipient to open a link or attachment.

No matter which variation of spear phishing email we may be faced with, the Security Summit has some basic recommendations to protect our data—and our clients’ data:

  • Educate all employees about phishing in general and spear phishing in particular.
  • Use strong, unique passwords. Better yet, use a phrase instead of a word. Use different passwords for each account. Use a mix of letters, numbers and special characters.
  • Never take an email from a familiar source at face value; example: an email from “IRS e-Services.” If it asks you to open a link or attachment, or includes a threat to close your account, think twice. Visit the e-Services website for confirmation.
  • If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it’s not a URL you recognize or if it’s an abbreviated URL, don’t open it.
  • Consider a verbal confirmation by phone if you receive an email from a new client sending you tax information or a client requesting last-minute changes to their refund destination.
  • Use security software to help defend against malware, viruses and known phishing sites and update the software automatically.
  • Use the security options that come with your tax preparation software.
  • Send suspicious tax-related phishing emails to phishing@irs.gov.