Washington News

As part of its ongoing awareness campaign, the Internal Revenue Service (IRS) Security Summit warns taxpayers and professional advisors to be aware of the latest email phishing scams. Because both tax advisors and individuals are active users of email, there is frequent opportunity for identity thieves to trick individuals into releasing confidential data.

The IRS previously noted that identity thieves have been relentless in exploiting and tricking taxpayers and tax professionals to disclose sensitive information. The IRS further noted that fighting back against phishing scams requires constant vigilance and urges tax professionals and taxpayers to take basic steps to protect their sensitive information.

There are several strategies that “bad actors”, or identity thieves, use to collect passwords, bank account numbers, credit card numbers or Social Security numbers.

1. Trusted Source— A bad actor will pose as a familiar person or an individual from a reputable organization. They will then claim that he or she is a long-lost friend, a colleague at a former employer, a bank, a credit card company or even the IRS.
2. Urgent Story— Another strategy is to write a story that pulls on your heartstrings and creates urgency. Some bad actors have written stories about friends or family members who have recently suffered from a disaster or are hospitalized and require immediate assistance. The story will also include a link to a document needed to provide help to that friend or family member.
3. Spear Phishing— A particularly successful strategy by the bad actor is to pose as a potential new client to a tax professional. To create a false sense of security, the individual exchanges four or five emails with the tax professional. After four or five emails, the guard of the tax professional is down, and the bad actor sends an email attachment that triggers the download of malware.

In these cases, the bad actor will attempt to have malware downloaded on to your computer through the click of links or opening of attachments. Then, the malware downloaded onto the computer of the individual or tax professional is designed to give the bad actor access to passwords. If the tax professional has client accounts with pending tax returns, the bad actor completes those returns and files them. However, the bank account information for the refund is changed to an account controlled by the bad actor.

Tax professionals have also been subject to ransomware attacks. With malware on the computer or network of the tax professional, the bad actor is able to encrypt all the business files. This is particularly effective because the tax returns will have due dates that need to be met. The bad actor then demands a cryptocurrency payment from the professional. If the ransom is paid, the bad actor may send a key to decrypt the files and allow the tax professional to meet the required tax deadlines.

The IRS urges all individuals with financial accounts to use two-factor authentication. Both individuals and tax professionals must have anti-virus software that is updated on a daily basis. Tax professionals should also encrypt the data and create daily backup files in order to easily recover files if their hard drives are encrypted.