10 tips for tax pros to avoid phishing scams

IRS headquarters in Washington, D.C.
IRS headquarters in Washington, D.C.

The inbox seems to have become tax preparers’ worst enemy in this age of phishing e-mails designed to trick preparers into volunteering critical information. Crooks convert stolen data into phony refunds faster than ever, and it’s easy to think that time-tested protections aren’t enough anymore.

The IRS shared its top 10 tips and practical examples for tax pros to protect themselves – and their clients – from taking the bait. (A slideshow version of this article is available.)

1. Spear itself. Nine out of 10 cyberattacks and data leaks begin with spear phishing e-mail, often tailored to individual practitioners. Spear-phishing crooks pose as familiar entities, and have usually done extensive research to target a specific audience – tax pros are favorites – to gain passwords or install malware.

Red flags: The supposedly familiar source of the e-mail; conversational but ungrammatical and oddly constructed language; calls to action urging opening of a link (often a “tiny” URL to mask the true destination).

2. Hostile takeovers. In these mushrooming schemes, a thief manages to steal or guess the username and password of a tax pro, resulting in the imaginable and horrific havoc with EFINs, prep software accounts and more. Again, these hardworking thieves do their homework to pose as a familiar organization, potential client, another tax pro, a bank or a cloud-based storage provider. Links or attachments may also load malware on computers to capture keystrokes.

Red flags: Urgent and threatening calls to action; pages that looks like the login pages for IRS e-Services or a prep-software providers.

3. Day at the breach. In the first five months of this year, about 107,000 taxpayers reported being victims of ID theft -- a total actually down from previous years -- but the IRS also saw an jump in ID theft involving business-related tax returns, including 1120s and 1120Ss, 1041s and Schedule K-1 filings. The IRS will soon ask tax pros to gather more information on their business clients to help authenticate returns, including Social Security numbers, payment history and parent company information.

Red flag: Potential business clients claiming they don’t currently have an EIN.

4. Ransom devil. Ransomware attacks are on the rise worldwide, locking computer systems and holding sensitive data hostage until users pay crooks to release the data (though often scammers won’t provide the decryption key even after a ransom is paid). Users generally are unaware that malware has infected their systems until they receive the ransom request.

Red flag: Phishing e-mails.

5. Remote control. A tax pro’s entire digital network could be at risk for remote takeover by cybercriminals who exploit security weaknesses to access the devices to access client returns, complete and e-file those returns, and then secretly direct refunds to their own accounts. Especially vulnerable are wireless networks, including mobile phones, modems and router devices, printers (clients’ returns might still in the device’s memory), fax machines and televisions that retain their factory-issued password settings.

Red flags: Phishing e-mails with attachments.

6. BEC to the wall. A burgeoning W-2 scam -- a.k.a., a business email compromise, or “BEC”-- is one of the most dangerous phishing e-mail schemes trending nationwide. A cybercriminal impersonates a company or organization exec’s e-mail address to target a payroll, financial or HR employee with a request for a transfer or funds or a request a list of all employees and their W-2s. This allows crooks to file fraudulent returns that mirror the employees’ actual income, making the fraud harder to detect.

Red flags: Slight variations in familiar URLs (for example, legitimate abc_company.com e-mail domain reads as “abc-company.com”); “reply” e-mail address is different from the “from” e-mail address.

7. EFIN headache. Criminal syndicates routinely attempt to steal tax pros’ usernames and passwords to access e-Services to obtain the EFIN. Savvy cybercriminals even swipe CAF numbers and may know how to file fraudulent power-of-attorney documents. (Password thefts are one reason the IRS moved to a two-factor authentication process for online tools.)

Red flags: Spear-phishing e-mails impersonating IRS e-services.

8. Protect clients. Tax pros must take proactive responsibility for safeguarding client data. Proper plans assess risks to taxpayer information in offices, list locations where taxpayer information is kept, and formally document how to safeguard information.

Red flags: Service providers lacking an adequate level of information protection.

9. Priority No. 1. Tax pros must make data security an everyday priority and remember the 90/10 rule: 10 percent of cybersecurity relies on technology and 90 percent relies on users. Put another way, data security in a tax professional’s office is only as strong as the least-informed employee (not to mention that security must extend into staffers’ homes, too -- use separate personal and business computers, mobile devices and accounts).

Red flags: Downloads from an unknown Web page or phone calls from an unknown company; requests for usernames, passwords, kinds of operating systems or brands of firewalls or browsers.

10. Speak up. Tax pros who suffer a breach or theft of taxpayer data should immediately contact the IRS and cops quickly: Crooks work like lightning to convert stolen data into phony returns. (Some states also require notification of data losses.) Tax pros should be prepared with a list of the affected taxpayers, including names and Social Security numbers, and can start their reporting with this list of local IRS stakeholders.

For reprint and licensing requests for this article, click here.
Tax fraud Tax-related ID theft Tax preparers Tax returns IRS
MORE FROM ACCOUNTING TODAY