IRS warns of e-file identity theft scam

The Internal Revenue Service alerted tax professionals Wednesday about a dangerous new phishing scam in which a cybercriminal is sending emails claiming to come from the IRS in an effort to steal Electronic Filing Identification Numbers (EFINs).

The IRS and its security partners in private industry and state government said the latest scheme, which comes only days before the beginning of tax season, offers a reminder that tax professionals are among the main targets of identity thieves who are trying to steal client data and tax preparers’ identities so they can file fraudulent tax returns for refunds. The latest scam email claims to come from “IRS Tax E-Filing” and bears the subject line “Verifying your EFIN before e-filing.”

The IRS and its tax industry partners in the Security Summit routinely alert tax professionals about the latest phishing scams they are receiving. There is usually an surge in such emails around the time of tax season when tax professionals expect to receive more communications from the IRS.

“Phishing scams are the most common tool used by identity thieves to trick tax professionals into disclosing sensitive information, and we often see increased activity during filing season,” said IRS Commissioner Chuck Rettig in a statement. “Tax professionals must remain vigilant. The scammers are very active and very creative.”

IRS Commissioner Charles "Chuck" Rettig
IRS Commissioner Charles Rettig

The IRS is cautioning tax professionals to avoid following any of the steps in the email, or even to respond to the email. The email states:

“In order to help protect both you and your clients from unauthorized/fraudulent activities, the IRS requires that you verify all authorized e-file originators prior to transmitting returns through our system. That means we need your EFIN (e-file identification number) verification and Driver's license before you e-file.

“Please have a current PDF copy or image of your EFIN acceptance letter (5880C Letter dated within the last 12 months) or a copy of your IRS EFIN Application Summary, found at your e-Services account at IRS.gov, and Front and Back of Driver's License emailed in order to complete the verification process. Email: (fake email address)

“If your EFIN is not verified by our system, your ability to e-file will be disabled until you provide documentation showing your credentials are in good standing to e-file with the IRS.

© 2021 EFILE. All rights reserved. Trademarks

2800 E. Commerce Center Place, Tucson, AZ 85706”

The IRS asked tax professionals who receive the email to save it as a file and then send it as an attachment to phishing@irs.gov. They also should reach out to the Treasury Inspector General for Tax Administration at www.TIGTA.gov to report the IRS impersonation scam, even though both TIGTA and the IRS Criminal Investigation division are already aware of the scam.

Phishing emails typically try to convince the recipient to take some action (such as clicking on a link or attachment), while threatening consequences for failing to do so (such as disabling the recipient’s account). The links or attachment can be set up to steal information or download malware onto the tax professional’s computer.

In the case of this latest scam, tax preparers are being asked to email documents that would disclose their identities and EFINs to identity thieves. The cybercriminals can then use the information to file fraudulent returns by pretending to be the tax preparer.

There have been earlier phishing scams that seek EFINs, Preparer Tax Identification Numbers (PTINs) or e-Services usernames and passwords from tax pros. Some cyberthieves pose as potential clients, which can be a particularly effective scam currently because there are so many remote transactions during the COVID-19 pandemic. The cyberthief may interact repeatedly with a tax preparer and then send an email with an attachment claiming to be their tax information. However, the attachment could contain malware enabling a hacker to track keystrokes and eventually steal all the user’s passwords or even take over control of their computer systems.

Some phishing scams turn out to be ransomware schemes in which the cyberthief gains control of the tax preparer’s computer server and holds the data hostage until a ransom is paid. The FBI warns against paying a ransom because cybercriminals frequently leave the data encrypted even after the ransom has been paid.

For more information, see Publication 4557, Safeguarding Taxpayer Data, and Identity Theft Information for Tax Professionals.

For reprint and licensing requests for this article, click here.
IRS Tax scams Identity theft Phishing TIGTA
MORE FROM ACCOUNTING TODAY