The IRS Security Summit published a warning this week to make taxpayers and professional advisors aware of the latest email phishing scams. Because both tax advisors and individuals have been under lockdowns or on remote status for over a year, there is greater opportunity for identity thieves to trick individuals into releasing confidential data.
IRS Commissioner Chuck Rettig stated, "Identity thieves have been relentless in exploiting the pandemic and the resulting economic pain to trick taxpayers and tax professionals to disclose sensitive information. Fighting back against phishing scams requires constant vigilance and we urge tax pros to take some basic steps to help protect their clients and themselves."
There are several specific strategies that bad actors use to collect passwords, bank account information, credit card numbers or Social Security numbers.
- Trusted Source A scammer will pose as a familiar person or a reputable organization. This could be a claim that he or she is a long-lost friend or a colleague at a former employer. It could also appear the person is from a bank, credit card company or even the Internal Revenue Service.
- Urgent Story Another strategy is to write a story that pulls on your heartstrings and creates urgency. Some bad actors have written stories about friends or family members who have recently had a huge disaster or are hospitalized with COVID-19 and require immediate assistance. The story will also include a link to more information needed to provide help to that friend or family member.
- Spear Phishing A particularly successful strategy by a fraudster is to claim to be a potential client for a tax professional. Because many tax professionals are now aware that an email with an attachment may be suspicious, the individual exchanges four or five emails with the tax professional. After a series of emails, the guard of the tax professional is down and the bad actor sends an email with the attachment that will trigger the download of malware.
In all of these cases, the malware downloaded onto the computer of the individual or tax professional is designed to give the scammer access to passwords. If the tax professional has client accounts with pending tax returns, the bad actor then completes those returns and files them. However, the bank account information for the refund is changed to an account controlled by the scammer.
A number of tax professionals have also been subject to ransomware attacks. With the malware on the computer or network of the tax professional, the bad actor is able to encrypt all the business files. This is particularly effective because many of the tax returns will have due dates. The bad actor than demands a cryptocurrency payment from the professional. If the ransom is paid, the bad actor may send a key to decrypt the files and meet the required tax deadlines.
The Internal Revenue Service urges all individuals with financial accounts to use two-factor authentication. Both individuals and tax professionals should have anti-virus software that is updated on a daily basis. Tax professionals should also encrypt the data at rest and create daily backup files that can be recovered if their hard drives are encrypted.
The Department of Treasury urges both individuals and tax professionals to review IRS Publication 4557, Safeguarding Taxpayer Data.