IRS sees 60% increase in data thefts from tax pros

The Internal Revenue Service, along with its Security Summit partners in the tax industry and at state tax authorities, cautioned tax professionals Thursday to be on the alert for the re-emergence this tax season of a cybercriminal scam that is helping fuel a dramatic uptick in reports of taxpayer data thefts from tax practitioner offices.

It is urging tax professionals to immediately improve their cybersecurity defenses to protect against downloading malware through a bogus email. The tactic is what’s known as a “spear phishing” scheme, and the IRS is referring to this one as the “New Client” scam. In the scam, a “new client” emails a practitioner about a tax issue, attaching documents to the message that they claim is an IRS notice or prior-year tax information. However, the documents actually contain malware. If they’re opened, they allow cybercriminals to steal taxpayer information.

This filing season, the IRS has seen a dramatic upswing in the number of reported thefts of taxpayer data from practitioners' offices. In January and February, 75 firms reported taxpayer data thefts, representing nearly a 60 percent increase from the first two months of last year. Much of the increase actually comes from a different tactic than the “new client” scam, though. The other scam, referred to as the “erroneous refund scheme,” affected thousands of taxpayers and numerous practitioners earlier this season.

The “New Client” scam is a form of spear phishing, which happens when a cybercriminal targets one or more tax preparers in a firm and sends an email posing as a trusted source such as the IRS, e-Services, a tax software provider or a cloud storage company. This is one example: “I just moved here from Michigan. I have an urgent Tax issue and I was hoping you could help,” the email begins. “I hope you are taking on new clients.” The email says one attachment is the IRS notice, while the other is the prospective client’s prior-year tax return. The scam has a number of variations.

The IRS noted that the period from January through April, coinciding with busy season, also represents prime season for cybercriminals to attack tax practitioners. However, taxpayer data thefts can happen anytime. Tax pros should be on high alert and put in place robust security measures as tax season reaches a peak with the April 17 deadline approaching soon. Criminals try to take advantage of this busy time of year when tax pros are in more contact with their clients and thus in possession of more data.

Here are some signs a tax pro or their client could be a victim of ID theft:

• A client’s electronically filed tax returns are rejected because other returns with their Social Security numbers have already been filed;

• The number of tax returns filed with a practitioner’s Electronic Filing Identification Number, or EFIN, is greater than their number of clients;

• Clients who haven’t filed tax returns start to receive authentication letters such as the 5071C, 4883C or 5747C from the IRS;

• Network computers are running slower than usual;

• Computer cursors are moving or changing numbers without the user touching the keyboard;

• Network computers are locking out tax practitioners.

The IRS noted that identity thieves often are part of sophisticated criminal syndicates based in the U.S. and other countries. These organized crime syndicates can be extremely resourceful, as well as tax savvy and they have the digital know-how to commit their crimes. They use different tactics to break into tax professionals’ computer systems and steal client information if stringent security measures haven't been implemented.

A man walks past the IRS headquarters in Washington, D.C.
The IRS headquarters in Washington, D.C.
Andrew Harrer/Bloomberg

For reprint and licensing requests for this article, click here.
Tax scams Cyber attacks Cyber security Malware Identity theft Identity theft protection Tax season Phishing IRS
MORE FROM ACCOUNTING TODAY