
The IRS has issued an alert to tax professionals about phishing emails that appear to come from accounting or professional organizations. In particular, the scammers behind these emails targeted tax practitioners in Iowa, Illinois, New Jersey and North Carolina. The agency has also received reports about email from a purported Canadian accounting association.
The IRS reports that this recent email states: “We kindly request that you follow this link HERE and sign in with your email to view this information from [name of accounting association] to all active members. This announcement has been updated for your kind information through our secure information sharing portal which is linked to your email server.”
According to the IRS, tax professionals should be alert “because cybercriminals can easily change their tactics, using other association names or making other adjustments in their scam attempts.” The agency advises practitioners to go directly to the organizations’ websites rather than open any links or attachments, and to forward suspicious emails concerning taxes or the IRS to phishing@irs.gov.
Members of "the Security Summit," a private-public sector partnership formed in 2015 to combat identity theft, are urging practitioners to follow these security steps:
• Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider or cloud storage provider. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates initial contact with a tax pro via email.
• Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
• Review internal controls:
Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
Create passwords of at least eight characters; longer is better. Use different passwords for each account, use special and alphanumeric characters and phrases. Password protect wireless devices and consider a password manager program.
Encrypt all sensitive files/emails and use strong password protections.
Back up sensitive data to a safe and secure external source not connected fulltime to a network.
Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
Limit access to taxpayer data to individuals who need to know.
Check IRS e-Services account weekly for number of returns filed with EFIN.
• Report any data theft or data loss to the appropriate
IRS Stakeholder Liaison.