All tax pros need to beware of evolving phishing scams that use various pandemic-related themes to steal client data. It is the tax preparer’s responsibility to secure their network to protect taxpayer data.
Tax
pros, especially those who engage in remote transactions, remain vulnerable to
identity thieves posing as potential clients. The criminals then trick
practitioners into opening email links or attachments that infect computer
systems.
The
warning about these phishing scams comes as part of the IRS and its Security
Summit partners annual summer campaign. This year's theme, Boost Security
Immunity: Fight Against Identity Theft,
urges tax pros to step up their efforts to protect client data.
Scams may differ in themes, but they generally have two traits:
- They
appear to come from a known or trusted source, such as a colleague, bank,
credit card company, cloud storage provider, tax software provider or even
the IRS.
- They
tell a story, often with an urgent tone, to trick the receiver into
opening a link or attachment.
Fraudsters
continue to impersonate pandemic-related government benefit programs to launch
phishing campaigns. Pandemic-related scams may be delivered by email, social
media, phone, or text, and may reference legitimate programs such as Economic Impact
Payments. Instead of providing economic relief, these scams collect personal
and financial information. Legitimate government programs will have
corresponding information on their official government websites.
Phishing
emails or SMS/texts - known as smishing - attempt to trick the person receiving
the message into disclosing personal information such as passwords, bank
account numbers, credit card numbers or Social Security numbers. Anyone with a
smartphone is a potential target. Smishing scams may leverage the child tax
credit or other pandemic-related tax-related programs to trick recipients into
visiting phishing websites.
A
specific kind of phishing email is called spear phishing. Rather than the
scattershot nature of general phishing emails, scammers take time to identify
their victim and craft a more enticing phishing email known as a lure. Scammers
often use spear phishing to target tax pros.
In
a reoccurring and very successful spear phishing scam, criminals pose as
potential new clients, exchanging several emails with tax pros before following
up with an attachment that they claimed was their tax information. Once the tax
pro clicks on the URL or opens the attachment, malware secretly downloads onto
their computer, giving thieves access to passwords to client accounts or remote
access to the computer. Thieves then use this malware known as a remote access
trojan to take over the tax professional's office computer system, identify
pending tax returns, complete them and e-file them, changing only the bank
account information to steal the refund. This scam remains popular as many tax
pros continue to work remotely and communicate with clients over email versus
in-person or over the phone because of COVID-19.
Tax
pros should follow basic security steps to protect their accounts and client
data. For example, using the two-factor or the multi-factor authentication
option offered by tax preparation providers or storage providers would protect
client accounts even if passwords were inadvertently disclosed. Keeping
anti-virus software automatically updated helps prevent scams that target
software vulnerabilities. Using drive encryption and regularly backing up files
helps stop theft and ransomware attacks.
More information:
Publication
4557, Safeguarding Taxpayer Data
