Protecting Your Tax Practice from Phishing Scams
Identity thieves who deploy phishing scams are quick to innovate, using popular communication platforms and current events to target victims where and when they are most vulnerable. That’s why phishing scams have evolved to include emails, social media ads and private messages, and text messages, and they often strike during natural disasters and national tragedies.
Tax professionals in particular are ripe targets for phishing scams, since their databases contain client financial data. That’s why all paid tax return preparers are required to create a written information security plan for protecting taxpayer data. Unfortunately, tax pros have to try to stay one step ahead of the constantly evolving schemes deployed by criminals.
“I strongly encourage tax preparers to review and strengthen their security plan before the next tax season,” says Drake Software Chief Compliance Officer Suzanne Vanderpool. “It is also critical to train employees to recognize phishing scams. The majority of security breaches we have seen in tax offices have come through email.”
Remember, the best way to avoid falling victim to phishing is by learning to spot current scams and following data security best practices when answering emails or surfing the Internet. In the Pandemic Era, phishing scams tend to come in five basic flavors: COVID-19 scams, fake charity scams, Economic Impact Payment scams, online shopping scams, and QR phishing scams.
Each of these strategies relies on stoking the anxiety caused by the virus, crafting messages that speak to uncertainty and prey on the spike in digital communication and telework.
Scams that specifically namecheck COVID-19 tend to impersonate local, state, and federal health agencies, advertising “recent announcements” about virus spread in the community or warning that you may have been exposed. These attacks—like most phishing scams—appear in emails, social media ads, and text messages that stress urgency in an attempt to convince you to download attachments or click links containing malware or leading to phishing sites.
Fake Charity Scams
Recent fake charity phishing scams also focus on the coronavirus. Rather than using fear and intimidation, these scams turn people’s compassion into a vulnerability by impersonating charitable organizations that are seeking donations to help victims of COVID-19. These scams can appear in emails, website and social media ads, and texts.
Economic Impact Payment Scams
Economic Impact Payment scams try to capitalize on the confusion surrounding the $1,200 stimulus payments that were created by the CARES Act in March 2020. While these scams have evolved throughout the year, the latest round is trying to capitalize on the IRS’s push to get the remaining non-filers to register before the Nov. 21 deadline. The texts appear to come from state tax agencies and tax relief organizations, and they say recipients need to follow the provided link and supply their banking information to get an EIP. The link actually leads to a phishing site designed to look like Get My Payment on IRS.gov.
Online Shopping Scams
Online shopping scams are almost as old as the Internet itself, but that doesn’t mean they’re not effective—especially when the pandemic has led to record numbers of online purchases. Typically appearing as an email, website, or social media ad, online shopping scams work because most people are excited to find a good deal. They direct users to phishing websites that look legitimate, sometimes even using logos and text copied directly from real webpages.
QR Phishing Scams
QR phishing is an emerging trend in online scams, and it uses a special type of barcode to trick victims into downloading malware or visiting a phishing website. A QR code looks like a black-and-white pixelated box, and when scanned by a cell phone, it opens a webpage in the device’s browser. Many companies include these special barcodes on physical advertisements—like newspaper flyers and billboards—so customers can easily visit the webpage selling the product. Unfortunately, identity thieves have started using QR codes to steal personally identifiable information (PII) and financial data.
What’s old is new again!
Just because identity thieves add to their playbook doesn’t mean they abandon older schemes. Literally while writing this blog, I received a familiar phishing phone scam: “We regret to inform you that your Social Security Number has been suspended,” the robotic voice intoned. Luckily, my work helps me stay on top of phishing scams new and old, but not everybody refreshes the IRS newsroom every day.
Even if you’re not glued to IRS news alerts, the agency and its Security Summit partners developed a number of helpful data-security resources that are aggregated on the IRS.gov “Identity Theft Central” webpage. (And, as always, you can bookmark the Taxing Subjects blog on DrakeSoftware.com, since we regularly cover recent IRS announcements.)
How do I create a written information security plan?
The FTC Safeguards Rule requires tax professionals create and maintain an up-to-date written information security plan, so many tax offices may feel some pressure to get their plan right. While there is no one-size-fits-all data security plan—every tax office and financial organization is unique—there are a few basics that everyone should consider having in their plan:
- Security software that is installed and kept up to date
- Organization-wide instructions for safely handling email messages and surfing the Internet
- Employee training centered on identifying and avoiding phishing scams
- Secure platforms for safely exchanging digital client documents
- Clear steps your organization will take in the event of a data breach
Tax offices that prefer to base a new or updated security plan on a concrete example can download the Drake Software Tax Office Security Plan by filing out the form at the bottom of our “Easy Steps to Create Your Mandatory Tax Office Security Plan” blog.