Looks to gain sensitive information; warns of surge in ‘new client’ scams              

As part of the Dirty Dozen tax scams effort, the Internal Revenue Service today urged tax professionals and other businesses to remain vigilant and protect themselves against a continuing barrage of email spearfishing attempts designed to steal valuable information.

Tax professionals and businesses present a tempting target for identity thieves given their extensive information, and scammers continue to look for creative ways to gain access into sensitive systems. In particular, the IRS and the Security Summit partners urge tax pros and businesses to watch out for a surge in a particular type of spearfishing known as “new client” scams, where identity thieves pose as potential clients using fake emails.

Through spearphishing emails, cybercriminals impersonate real taxpayers seeking help with their taxes, using fake emails to get sensitive data or gain access to a tax professional’s client information from their computer systems. While these can peak around tax season, they remain a year-round threat. Criminals accessing tax preparer credentials or their client’s tax-related information, can affect multiple victims.

“It’s crucial for tax professionals and businesses to be wary of creative and evolving cyberattacks designed to access sensitive systems,” said IRS Commissioner Danny Werfel. “Cyberattacks pose a threat to not just the livelihood of the businesses, but the sensitive tax and personnel information that identity thieves can use to try filing fake tax returns. The Security Summit partners continue to urge tax pros and businesses to be on guard and educate their employees. Taking simple steps by using extra caution when opening emails, clicking on links or sharing private client information can prevent tax professionals from being taken advantage of by cybercriminals.”

This marks the ninth day of special Dirty Dozen series. Started in 2002, the IRS’ annual Dirty Dozen campaign lists 12 scams and schemes that put taxpayers and the tax professional community at risk of losing money, personal information, data and more. While the Dirty Dozen is not a legal document or a formal listing of agency enforcement priorities, the education effort is designed to raise awareness and protect taxpayers and tax pros from common tax scams and schemes, like spearphishing.

Raising awareness about common scams threatening taxpayers and tax pros has been an ongoing focus of the Security Summit, a coalition of the IRS, state tax agencies and the nation’s tax industry. The groups have worked together since 2015 to strengthen internal systems and controls to protect against tax-related identity theft, and the Summit partners continue to warn people about common scams and schemes during tax season and beyond.

These scams can threaten a taxpayer’s personal and financial information. The Security Summit initiative is committed to protecting taxpayers, businesses and the tax system from scammers and identity thieves, and the annual IRS Dirty Dozen series is incorporated into this larger effort.

What is spearphishing?

While phishing refers to emails or text messages designed to steal personal information directly, or by clicking on an embedded link or attachment, spearfishing is more targeted. Spearphishing is a type of phishing that targets specific individuals, organizations or businesses, typically using malicious emails.

The IRS warns tax professionals about spearphishing because if a tax preparer falls victim to a data breach, the potential for harm is much greater. A successful spearphishing attack can lead to the theft of client data and the identity theft of the tax preparer. This could potentially enable the attacker to file fraudulent returns.

How to avoid being a victim of spearphishing:

  • Never click suspicious links or download attachments from unknown senders, including potential clients.
  • Call the potential client to confirm the email is from them.
  • Send only password-protected and encrypted documents through email.
  • Protect email accounts with strong passwords and two-factor authentication.
  • Use security software products with anti-phishing tools.
  • Be vigilant year-round, not just during tax filing season.

New client scam

The “new client” scam, which involves spearphishing attempts, continues to be a concern for the IRS and its Security Summit partners. Cybercriminals impersonate new, potential clients to trick tax preparers into responding to their emails. Once the preparer responds, the scammer sends a malicious attachment or URL that can compromise the preparer’s computer systems and allow the attacker to access sensitive client information.

There are warning signs that should raise red flags and cause people to question an email’s legitimacy. Individuals, including tax pros, should always be cautious and look out for any suspicious requests or unusual behavior before sharing any sensitive information or responding to an email. Warning signs include poorly constructed sentences and unusual word choices. Be aware that by gaining access to a hacked email account, scammers can locate a genuine email from a previous victim’s email account sent to their tax professional. This email may contain no spelling or grammatical errors and may refer to genuine tax issues.

Report spearphishing and other scams

Individuals should report scams by sending the suspicious email or a copy of the text/SMS as an attachment to phishing@irs.gov. The report should include the sender’s email address, caller’s phone number, date, time and the phone number or email address that received the message.

The Report Phishing and Online Scams page at IRS.gov provides more information on what to look out for and how to report phishing and scams.

Taxpayers can also report scams to the Treasury Inspector General for Tax Administration or the Internet Crime Complaint Center. Another useful tool is the Federal Communications Commission’s Smartphone Security Checker.

Other stories you may want to check out:

This site uses Akismet to reduce spam. Learn how your comment data is processed.