10 tips for avoiding tax scams

The inbox seems to have become tax preparers’ worst enemy in this age of phishing e-mails designed to trick preparers into volunteering critical information. Crooks convert stolen data into phony refunds faster than ever, and it’s easy to think that time-tested protections aren’t enough anymore.

The IRS shared its top 10 tips and practical examples for tax pros to protect themselves – and their clients – from taking the bait. (A text version of this article is available.)

IRS headquarters in Washington, D.C.
IRS headquarters in Washington, D.C.

<P>

The inbox seems to have become tax preparers’ worst enemy in this age of phishing e-mails designed to trick preparers into volunteering critical information. Crooks convert stolen data into phony refunds faster than ever, and it’s easy to think that time-tested protections aren’t enough anymore.

The IRS shared its top 10 tips and practical examples for tax pros to protect themselves – and their clients – from taking the bait. (A text version of this article is available.)
p1afk42fia1lbclrlc9qv84qpe8.jpg
E-mail symbol printed on a piece of paper hooked on a fishing hook. Phishing and data protection concept.

1. Spear itself

Nine out of 10 cyberattacks and data leaks begin with spear phishing e-mail, often tailored to individual practitioners. Spear-phishing crooks pose as familiar entities, and have usually done extensive research to target a specific audience – tax pros are favorites – to gain passwords or install malware.

Red flags: The supposedly familiar source of the e-mail; conversational but ungrammatical and oddly constructed language; calls to action urging opening of a link (often a “tiny” URL to mask the true destination).
russian-hacker.jpg
Computer hacker silhouette of hooded man with binary data and network security terms

2. Hostile takeovers

In these mushrooming schemes, a thief manages to steal or guess the username and password of a tax pro, resulting in the imaginable and horrific havoc with EFINs, prep software accounts and more. Again, these hardworking thieves do their homework to pose as a familiar organization, potential client, another tax pro, a bank or a cloud-based storage provider. Links or attachments may also load malware on computers to capture keystrokes.

Red flags: Urgent and threatening calls to action; pages that looks like the login pages for IRS e-Services or a prep-software providers.
data-breach-two.jpg
SECURITY BREACH in green revealed in blue computer machine code through a magnifying glass

3. Day at the breach

In the first five months of this year, about 107,000 taxpayers reported being victims of ID theft -- a total actually down from previous years -- but the IRS also saw an jump in ID theft involving business-related tax returns, including 1120s and 1120Ss, 1041s and Schedule K-1 filings. The IRS will soon ask tax pros to gather more information on their business clients to help authenticate returns, including Social Security numbers, payment history and parent company information.

Red flag: Potential business clients claiming they don’t currently have an EIN.
p1arvasita1icj854ihj1ct618418.jpg
Keyboard locked in a chain.

4. Ransom devil

Ransomware attacks are on the rise worldwide, locking computer systems and holding sensitive data hostage until users pay crooks to release the data (though often scammers won’t provide the decryption key even after a ransom is paid). Users generally are unaware that malware has infected their systems until they receive the ransom request.

Red flag: Phishing e-mails.
Personal working on a computer with a large image of a lock on the screen.
Business, technology, internet and networking concept. Young businessman working on his laptop in the office, select the icon security on the virtual display.

5. Remote control

A tax pro’s entire digital network could be at risk for remote takeover by cybercriminals who exploit security weaknesses to access the devices to access client returns, complete and e-file those returns, and then secretly direct refunds to their own accounts. Especially vulnerable are wireless networks, including mobile phones, modems and router devices, printers (clients’ returns might still in the device’s memory), fax machines and televisions that retain their factory-issued password settings.

Red flags: Phishing e-mails with attachments.
fotolia-w-2crop092013
Form 1040 corner partially filled out

6. BEC to the wall

A burgeoning W-2 scam -- a.k.a., a business email compromise, or “BEC”-- is one of the most dangerous phishing e-mail schemes trending nationwide. A cybercriminal impersonates a company or organization exec’s e-mail address to target a payroll, financial or HR employee with a request for a transfer or funds or a request a list of all employees and their W-2s. This allows crooks to file fraudulent returns that mirror the employees’ actual income, making the fraud harder to detect.

Red flags: Slight variations in familiar URLs (for example, legitimate abc_company.com e-mail domain reads as “abc-company.com”); “reply” e-mail address is different from the “from” e-mail address.
password-ts.jpg

7. EFIN headache

Criminal syndicates routinely attempt to steal tax pros’ usernames and passwords to access e-Services to obtain the EFIN. Savvy cybercriminals even swipe CAF numbers and may know how to file fraudulent power-of-attorney documents. (Password thefts are one reason the IRS moved to a two-factor authentication process for online tools.)

Red flags: Spear-phishing e-mails impersonating IRS e-services.
p1961k917m1oc0pv01elv7tm1cg8b.jpg
Warning road sign, Cyber Attacks Ahead , 3d render

8. Protect clients

Tax pros must take proactive responsibility for safeguarding client data. Proper plans assess risks to taxpayer information in offices, list locations where taxpayer information is kept, and formally document how to safeguard information.

Red flags: Service providers lacking an adequate level of information protection.
p1au89i3a41ppjlqi1f2r1vup15oh7.jpg
Many sticky notes with the passwords written on them as reminders

9. Priority No. 1.

Tax pros must make data security an everyday priority and remember the 90/10 rule: 10 percent of cybersecurity relies on technology and 90 percent relies on users. Put another way, data security in a tax professional’s office is only as strong as the least-informed employee (not to mention that security must extend into staffers’ homes, too -- use separate personal and business computers, mobile devices and accounts).

Red flags: Downloads from an unknown Web page or phone calls from an unknown company; requests for usernames, passwords, kinds of operating systems or brands of firewalls or browsers.
p1b4gh8ulg1sdjtdf1vn1mhjd6.jpg
Laptop computer with crime scene tape across it

10. Speak up

Tax pros who suffer a breach or theft of taxpayer data should immediately contact the IRS and cops quickly: Crooks work like lightning to convert stolen data into phony returns. (Some states also require notification of data losses.) Tax pros should be prepared with a list of the affected taxpayers, including names and Social Security numbers, and can start their reporting with this list of local IRS stakeholders.
MORE FROM ACCOUNTING TODAY