While it’s common knowledge that tax return preparers and other tax professionals must constantly be on guard against hackers, several “phishing” schemes aimed specifically at tax professionals are gaining momentum. As tax season peaks, here’s a high-level rundown – they are varied and complex – of what these phishing schemes are all about and how to protect your clients’ personal information, as well as your own.
What is phishing?
Phishing is a scam typically carried out with the help of unsolicited email or a fake website that poses as a legitimate site to lure in potential victims and prompt them to provide valuable personal and financial information. Armed with this information, a criminal can commit identity theft or financial theft.
What types of phishing schemes are aimed at tax professionals?
In the U.S. the IRS recently announced that a bogus email was making the rounds to tax professionals asking them to update their IRS e-services portal information and Electronic Filing Identification Numbers (EFINs). The links provided in the bogus email to access IRS e-services appear to be a phishing scheme designed to capture your username and password.
Another type of phishing scheme is making its way via email communications to employees in accounting firms. These emails appear to be from a client requesting that the employee open an attachment from them. The attachment can then launch key logging malware that can detect every keystroke the employee makes. Even when this data is transmitted over an encrypted internet connection it can be vulnerable as the malware records keystrokes before they are encrypted. This is obviously a significant concern.
How to protect sensitive information
First off, keep in mind that government tax authorities don’t typically initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
Further, whether you’re checking personal or business email, these five tips can help you avoid being hooked by a phishing scheme.
- Be suspicious if the circumstances of the email aren’t well known to you.
- Hover your cursor over a link to look for misspellings in the URL or an unusual address.
- If in doubt, if the person is known to you, contact the sender directly to confirm they sent the email.
- Before you provide your ID or password, stop and think. The IRS does not initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.
- Hackers can create fake websites that looks like one you use frequently, so check the URL in the browser to make sure it matches the address you’ve used previously.
- The most significant thing you can do, is ensure is ensure that your operating system and browsers are updated automatically. And it’s best to use the latest versions. Also, have up to date security software on your network and PCs. These items are the first line of defense. You also should advise your clients to do the same.
Remember that these are just a few examples of phishing attempts. There are others and new ones cropping up every day. Keep diligent is the best advice I can give you.
Companies such as Thomson Reuters provide microsites to report issues and they also provide additional advice.
If you receive an unsolicited email that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System, report it by sending it to firstname.lastname@example.org. Visit: https://www.irs.gov/uac/Report-Phishing.
Much valuable information can be found on the IRS website about how they communicate with tax payers as well as tax professionals.
Visit our Thomson Reuters Tax & Accounting blog for more on this topic.