The April 17 deadline for filing will bring this tax season to a close before we know it. So it makes sense that the bad guys are planning to make hay while the sun shines. Identity thieves and scammers are unleashing a new campaign to beat the deadline.
The Internal Revenue Service and its Security Summit partners are alerting tax preparers to be on the lookout for bogus emails aimed at them pretending to be from “IRS Refunds.”
A Familiar Tactic
This isn’t the first time an “IRS Refunds” scam has been used. Like previous incarnations, this one sends a bogus email aimed at enticing the recipient into opening a link or attachment associated with the email message. The link in turn takes people to a fake web page where the thieves attempt to steal personal information such as Social Security numbers or passwords.
Many times, the links also secretly download multi-function malware that can give the thief control of the user’s computer or track keystrokes so the thief can get logins, passwords or other critical data.
The real IRS does not randomly contact taxpayers – or tax professionals, for that matter – via email. The agency will also not ask people to confirm their tax refund information. Even if special circumstances dictate that IRS personnel call or visit a home or business, taxpayers will generally receive several notices from the IRS by U.S. mail before such calls or visits take place.
Know the Signs
There are several “red flags” that a call or email is a scam and not the real IRS. First, the real IRS will never demand that taxpayers or businesses use a specific payment method, such as prepaid debit card, gift card or wire transfer.
Second, the IRS will never demand payment without an opportunity to question or appeal the amount that is said to be owed. Standard IRS practice is to mail a bill to the business or taxpayer for tax due, but also to advise the taxpayer of their rights.
And the real IRS will never threaten to bring in local police, immigration officers or other law enforcement officers and threaten to have the taxpayer arrested for not paying. The IRS can’t revoke a driver’s license, business license or immigration status – all typical threats used by scammers.
What’s a Tax Pro to Do?
The IRS says a few basic steps in prevention can go a long way for any tax professional’s office:
- Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider or cloud storage provider. Never open a link or any attachment from a suspicious email. Remember: the IRS never initiates initial contact with tax pros via email.
- Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
- Review internal controls:
- Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
- Use strong and unique passwords of 10 or more mixed characters, password-protect all wireless devices, use a phrase or words that are easily remembered and change passwords periodically.
- Encrypt all sensitive files/emails and use strong password protections.
- Back-up sensitive data to a safe and secure external source not connected fulltime to a network.
- Wipe clean or destroy old computer hard drives that contain sensitive data.
- Limit access to taxpayer data to individuals who need to know.
- Check IRS e-Services account weekly for number of returns filed with your EFIN.
- Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.
- Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alert and Social Media.