The Internal Revenue Service recently warned tax return preparers about two new phishing schemes:
One is an email sent to tax preparers asking them to update their e-Services information. The IRS will not send email asking preparers to click on a link to update accounts.
The links provided in the email are part of a phishing scam to capture e-Services usernames and passwords. Do not click on the links or take any other action. The IRS is undertaking efforts to make its authentication process stronger, but it is doing so via U.S. Postal Service letters to certain e-Services users. Recipients will have 30 days to respond or validate their identity.
Another scheme involves scammers sending emails purporting to come from tax software companies, to fool tax preparers into clicking on a link to update their software, but which instead loads malware on their computers. The spoofing email urges recipients to click on a link to download an “important new software update” and install it. The file has the same name as the legitimate tax software, but instead of providing an update, the link downloads a program that permits cybercriminals to obtain remote control of preparers’ computer systems to complete and file client tax returns and redirect refunds to the fraudsters’ accounts. Similar email schemes using well-known tax software company names target individual taxpayers as well.
Internet criminals are also sending a phony IRS Notice CP 2000 and claiming that the income reported on a tax return does not match the income reported by the employer. To further confuse potential victims, the letter accompanying the phony IRS form indicates that the form relates to the Affordable Care Act. The IRS does not initiate contact with taxpayers via email.
Cybercriminals continue to target and defraud CPA firms and their clients by deploying new phishing schemes in new guises. Many of the hackers are sophisticated and determined in their efforts to steal information and money. Damages resulting from the scams can range from several thousand dollars to several hundred thousand dollars.
At the lower end of the range of damages are tax return-related schemes that target the large volumes of personal identity and financial information possessed by tax preparers.
Lessons and tips
The lesson here is to never click on unexpected links or open suspicious email attachments. Instead, use the software or the trusted provider’s website to obtain and install updates. Tax professionals should also run a security “deep scan” to search for viruses and malware on their computers.
Providing regular staff training will enhance awareness of the dangers of phishing scams, which can come in the form of emails, texts and phone calls from scammers posing as vendors or contract workers. Effective training can make all the difference between the success or failure of fraud schemes. Some experts recommend adding a data breach simulation to the training schedule at least once per year. Others will test awareness by “inoculation” in which all users are sent a benign phishing email. Those who err are then educated on how to avoid the errors.
Strengthening passwords for both computer access and software access is also a good loss prevention practice. Passwords should be at least eight digits long (although longer is better) with a mix of numbers, letters and special characters (e.g., “D@Wg&PoN1$#0”). Or use a passphrase that is easy to remember but change some of the letters to numbers such as “E” to “3.” For another example, “ILoveCPAs” is changed to !L0Vcp@$.
Another effective and commonly used defense against cybercrime is using password managers such as Dashlane 4, Keeper Password Manager & Digital Vault 8, LastPass 4.0 Premium, LogMeOnce Password Management Suite Ultimate 5.2, Password Boss Premium, RoboForm Everywhere 7, and Sticky Password Premium. These tools require users to remember only one password, and the software creates, stores and retrieves lengthy random character passwords. They prioritize protecting users’ passwords and eliminates the need to remember and periodically change passwords.
Hackers stealing tax refunds
Hackers will also send fraudulent email messages to tax preparers substituting bank account numbers different from the legitimate client account numbers to divert tax refunds into their accounts. Once the refund is sent to the wrong account, it is immediately withdrawn. The taxing authorities have no responsibility once the refund has been sent to a banking account.
A common spoofing technique involves the hacker’s email address being just one letter or digit off from the legitimate client email address (e.g., “businessware.com” becomes “businesware.com”)—just enough to look like the victim’s address and to get the tax return preparer to change the account number. By hovering your mouse over a link, without clicking it, you can check the address for the website. If the address is for a different website, that’s a red flag, as is a misspelled link.
Tax preparers should telephone clients to confirm any changes in bank account numbers before filing. It’s also wise to have insurance coverage in case the fraudulent scheme is not detected in time.
Phishing schemes may also target information such as W-2 forms, employee Social Security Numbers, or credit card information. The information can then be sold or used in attacks against the employees’ own personal computers, credit cards, and other accounts.
As CPA firms, tax professionals, and their clients continue to be victimized by cybercriminals, firms should redouble their vigilance with email and other cyber activity, and create conservative policies to prevent such crimes. A renewed effort toward preparing and educating your staff on cyber risk exposures will help deter criminals targeting your firm. Remember, it is not a matter of if, but rather a matter of when you will be targeted – don’t relax your defenses.