The IRS is joining with its Security Summit task force to warn tax professionals about the continuing threat posed by phishing emails to their data security efforts. Despite best efforts, phishing remains the most common tactic used by cybercriminals to steal sensitive data.

IRS Commissioner Chuck Rettig urges tax pros to take time during the summer months to review their data security measures.

“You can take all the cybersecurity steps in the world, but tax professionals and others in the business world should remember you are only as safe as your least educated employee,” said Rettig. “Cybercriminals use phishing emails and malware to gain control of computer systems or to steal usernames and passwords. These can provide a treasure trove of information that can lead to tax-related identity theft.”

A Common Start to a Shared Problem

More than 90 percent of all data thefts begin with a phishing email. Many times an employee opens a link that takes them to a fake web site or opens an attachment embedded with malware that secretly downloads onto their computer.

A variation on this theme termed “spear phishing,” uses bogus email messages posing as trusted source, meant to bait the recipient into opening an embedded link or an attachment. The email may make an urgent plea to the tax practitioner to update an account immediately. A link may appear to go to another trusted site – a cloud storage site or a tax software provider login page, for example – but it’s just another web page controlled by the thief.

Attachments may contain malicious software. One variety is called keyloggers; these small and nearly invisible programs secretly infect computers and provide the thief with the ability to see every keystroke. Thieves can then steal passwords to various accounts or even take remote control of computers, enabling them to steal taxpayer data.

The overarching characteristic of any phishing attack is deception. Some of the most common spear phishing scams seen by the IRS include thieves posing as prospective clients, sending unsolicited emails to the tax pro. After an exchange of emails, the thief sends a message with an attachment, claiming it contains tax information needed to prepare a return.

Instead, it actually contains spyware that allows the thief to track every keystroke.

More Than One Way to Steal

There are other scenarios, however, that could ensue from a phishing attack. The IRS also sees thieves posing as tax software providers or data storage providers with emails containing links that go to web pages that mirror real sites. The thieves’ goal is to trick tax professionals into entering their usernames and passwords into these fake sites, which the crooks then steal.

Sometimes the cybercriminal will encrypt the data rather than steal it. This is known as a ransomware attack.

Once they encrypt the victim’s data, thieves demand a ransom in return for the code to unencrypt the data. It should be noted that just because the cybercriminal is paid a ransom does NOT mean he’ll actually give the code to unencrypt your data. Many times the thief just takes the ransom and disappears.

Because of this, the Federal Bureau of Investigation warns users not to pay a ransom. The FBI says ransomware attacks are a growing threat to businesses and others. 

How to Foil Phishing

Educated employees are the key to avoiding phishing scams, and office systems are only as safe as the least informed employee. These simple steps also can help protect against stolen data: 

• Use separate personal and business email accounts; protect email accounts with strong passwords and two-factor authentication if available.
• Install an anti-phishing tool bar to help identify known phishing sites. Anti-phishing tools may be included in security software products.
• Use security software to help protect systems from malware and scan emails for viruses.
• Never open or download attachments from unknown senders, including potential clients; make contact first by phone, for example.
• Send only password-protected and encrypted documents if files must be shared with clients via email.
• Do not respond to suspicious or unknown emails; if IRS-related, forward to phishing@irs.gov.

The IRS and its Security Summit partners of federal and state tax officials and tax industry leaders, have issued a “Taxes – Security – Together” checklist to help remind tax professionals of the basic steps that can protect their data – and the data of their clients:

• Deploy “Security Six” basic safeguards to protect computers and email
• Create a written data security plan
• Educate yourself on phishing scams
• Recognize the signs of client data theft
• Create a data theft recovery plan, and call the IRS immediately

Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov.