IRS, State Tax Agencies Warn of Scam Targeting Tax Professionals

Ruth Singleton
Published Date:
Mar 22, 2018
Caution Floor Sign

The IRS, state tax agencies and members of the tax industry are warning about a "new client" scam targeting tax professionals. These members of "the Security Summit," a private-public sector partnership formed in 2015 to combat identity theft, issued the warning today because this scam has re-emerged in recent days.

According to the Security Summit, in this scam, a supposed “new client” emails the tax professional about a tax issue, attaching documents to the email that the sender claims to be an IRS notice or prior-year tax information. The documents actually contain malware that, if opened, enable the criminals to steal taxpayer information.

This is an example of a common tactic, called spear phishing, which occurs when a criminal singles out one or more tax preparers in a firm and sends an email posing as a trusted source such as the IRS, e-Services, a tax software provider or a cloud storage provider. Thieves also may pose as clients or new prospects. The objective is to trick the tax professional into disclosing sensitive usernames and passwords or to open a link or attachment that secretly downloads malware enabling the thieves to track every keystroke.

The IRS provides the following as an example of the text of a spear phishing email : “I just moved here from Michigan. I have an urgent Tax issue and I was hoping you could help. I hope you are taking on new clients.” The email will also say that one attachment is the IRS notice and the other attachment is the prospective client’s prior-year tax return. This scam has many variations.

The IRS says that it has seen a steep upswing in the number of reported thefts of taxpayer data from tax practitioner offices. Seventy-five firms reported taxpayer data thefts in January and February, nearly a 60 percent increase from the same time last year. Much of this increase, it says,  follows one scam, the erroneous refund scheme, that affected thousands of taxpayers and numerous practitioners earlier this filing season.

The IRS is warning tax professionals to be on high alert and deploy strong security measures as the filing season reaches a peak with the April 17 deadline approaching.

Some tax professionals may be unaware they are victims of data theft. Here are some signs:

• Client e-filed returns begin to reject because returns with their Social Security numbers were already filed;

• The number of returns filed with tax practitioner’s Electronic Filing Identification Number (EFIN) exceeds number of clients;

• Clients who haven’t filed tax returns begin to receive authentication letters (5071C, 4883C, 5747C) from the IRS;

• Network computers running slower than normal;

• Computer cursors moving or changing numbers without touching the keyboard;

• Network computers locking out tax practitioners.

Here are the security steps recommended by the Security Summit:

• Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider or cloud storage provider. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates contact via email.

• Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.

• Review internal controls:

   Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.

   Use strong and unique passwords of 10 or more mixed characters, password protect all wireless devices, use a phrase or words that are easily remembered and change passwords periodically.

   Encrypt all sensitive files/emails and use strong password protections.

   Back up sensitive data to a safe and secure external source not connected fulltime to a network.

   Wipe clean or destroy old computer hard drives that contain sensitive data.

   Limit access to taxpayer data to individuals who need to know.

   Check IRS e-Services account weekly for number of returns filed with EFIN.

Those who experience a security incident or a breach resulting in data disclosure should report the incident to the appropriate IRS Stakeholder Liaison.

Click here to see more of the latest news from the NYSSCPA.