In the second installment of a special series, the Internal Revenue Service and Security Summit partners warned tax professionals to be aware of evolving phishing scams and cloud-based schemes designed to steal sensitive taxpayer information.
The IRS and Security Summit partners – representing state tax agencies and the nation’s tax industry – continue to see a steady stream of e-mail and related attacks aimed at the nation’s tax professional community. These are designed to steal sensitive tax and financial information from clients.
The variants of these email attacks routinely number in the hundreds and can target tax professionals whether it’s tax season or not.
“We continue to see a barrage of email and related attacks designed to trick tax professionals and gain access to their sensitive information,” said IRS Commissioner Danny Werfel. “These attempts can be elaborate, multi-layered efforts that look convincing and can easily fool people. Tax professionals need to be wary and educate their employees to use extra caution to protect their clients and their businesses.”
This is the second release in an eight-part “Protect Your Clients; Protect Yourself” summer series, part of an annual education effort by the Security Summit, a group that includes tax professionals, industry partners, state tax agencies and the IRS. The public-private partnership has worked since 2015 to protect the tax system against tax-related identity theft and fraud.
These security tips will be a key focus of the Nationwide Tax Forum, which will be in five cities this summer throughout the U.S. In addition to the series of eight news releases, the tax professional security component will be featured at the forums, which are three-day continuing education events. The remaining forums begin July 30 in Orlando, August 13 in Baltimore, August 20 in Dallas and September 10 in San Diego.
The IRS reminds tax pros that registration deadlines are quickly approaching for several of the forums, and Orlando is already sold out.
Phishing, spear phishing, clone phishing and whaling
One of the most common threats facing tax pros are phishing and related scams. These are designed to trick the recipient into disclosing personal information such as passwords, bank account numbers, credit card numbers or Social Security numbers.
Tax professionals and taxpayers should be aware of different phishing terms and what the email scams might look like:
- Phishing/Smishing – Phishing emails or SMS/texts (known as “smishing”) attempt to trick the recipient into clicking a suspicious link, filling out information or downloading a malware file. Often phishing attempts are sent to multiple email addresses at a business or agency increasing the chance someone will fall for the trick.
- Spear phishing – A specific type of phishing scam that bypasses emailing large groups at an organization, but instead identifies potential victims and delivers a more realistic email known as a “lure.” These types of scams can be trickier to identify since they don’t occur in large numbers. They single out individuals, can be specialized and make the email seem more legitimate. Scammers can pose as a potential client for a tax professional, luring the practitioner into sharing sensitive information.
- Clone phishing – A newer type of phishing scam that clones a real email message and resends it to the original recipient pretending to be the original sender. The new message will have either an attachment that contains malware or link that tries to steal information from the tax professional or recipient.
- Whaling – Whaling attacks are very similar to spear phishing, except these attacks are generally targeted to leaders or other executives with access to secure large amounts of information at an organization or business. Whaling attacks can also target people in payroll offices, human resource personnel and financial offices.
Security Summit partners continue to see instances in which tax professionals have been particularly vulnerable to emails posing as potential clients. In the “new client” scam, the criminals use this technique to trick practitioners into opening email links or attachments that infect computer systems with the potential to steal client information. Similar schemes are seen with whaling situations where scammers try to obtain a large amount of information with legitimate-looking email requests.
Warning signs of a scam
Regardless of the type of phishing attempt, tax pros can protect themselves and their organization by being aware of these scams and looking for warning signs like these:
- An unexpected email or text claiming to come from a known or trusted source such as a colleague, bank, credit card company, cloud storage provider, tax software provider or even the IRS and other government agencies.
- Receiving a duplicate email from what appears to be a known trusted source that contains a new attachment or hyperlink.
- A message, often with an urgent tone, urging the receiver to open a link or attachment. These messages have a false narrative, like someone’s password has expired or some other urgent action is needed.
- An email address, number or link that’s slightly misspelled or has a different domain name or URL (irs.com vs. IRS.gov). A closer look at these email addresses – like hovering the cursor over the email address – can show slight variations on legitimate addresses.
“There are major red flags that can be easily overlooked, so tax professionals and taxpayers should be extra careful and look closely when they receive an email from an official looking source,” Werfel said.
Cloud-based schemes remain a threat
Tax professionals using cloud-based systems that store information or run tax preparation software should use multi-factor authentication to help safeguard that data. The Federal Trade Commission now requires all practitioners to secure sensitive client personally identifiable information (PII) using multi-factor authentication.
Specifically, the Security Summit continues to see attacks that take advantage of cloud-based systems and compromise personal information. Multi-factor authentication options provide an additional layer of security to access a system by using a phone, text messages or tokens. Since email is easier for identity thieves to access, having these layers of security helps guard against potential vulnerabilities.
Additional resources
For tax professionals who are victim of any of these schemes or identity theft, the IRS urges them to quickly contact their IRS stakeholder liaison to provide details of the situation. Tax professionals can also share information with the appropriate state tax agency by visiting a special Report a Data Breach page with the Federation of Tax Administrators.
Quickly reporting these incidents can not only protect the tax pro’s clients, but it can also help provide critical information quickly to help prevent these attacks from hitting others in the tax community.
Tax professionals should also understand the Federal Trade Commission’s data breach response requirements PDF as part of their overall information and data security plan. There’s a new requirement to report an incident to the FTC when 500 or more people are affected within 30 days of the incident.
To help taxpayers navigate these issues and meet the requirement to have a security plan, the Security Summit has prepared a sample Written Information Security Plan. This template can help tax pros, including smaller practitioners, protect themselves from ongoing security threats.
Tax professionals should also review IRS Publication 4557, Safeguarding Taxpayer Data PDF, for more information.
Other resources include Small Business Information Security: The Fundamentals PDF, by the National Institute of Standards and Technology and the IRS’ Identity Theft Central pages for tax pros.
Publication 5293, Data Security Resource Guide for Tax Professionals PDF, provides a compilation of data theft information available on IRS.gov. The IRS also encourages tax professionals to stay connected to the IRS for its latest updates and alerts through subscriptions to e-News for tax professionals and its social media sites.
Source: IRS-2024-188, July 16, 2024