It’s called “spear phishing,” and, once again, it’s headed for an email in-box near you.
Spear phishing uses a bogus email message that tries to pass itself off as being from a friend, or a legitimate customer or company. What the senders really want, though, is your e-filing information: usernames, passwords, anything that can be used to e-file bogus income tax returns.
The IRS and its Security Summit partnership group want you to be ahead of this latest scam. The Security Summit, a joint effort of the IRS, state tax agencies and tax industry partners, is sponsoring its “Don’t Take the Bait” awareness campaign aimed at keeping such threats on the front burner with tax pros.
Remember: Tax professionals have more than an obligation to protect taxpayer information; there’s a legal requirement that we do so.
“We continue to see new and evolving threats involving data breaches, intrusions and various takeovers that put people’s personal information at risk,” said John Koskinen, IRS Commissioner. “These efforts are increasingly targeting tax professionals and businesses with tax information. Too many still overlook basic security steps needed to protect their data. As part of this, we urge the tax professional community: Beware your inbox. Don’t take the bait from these phishing scams.”
Phishing scams use bait or lures to trick preparers into opening an infected link or attachment or disclosing usernames and passwords to critical accounts. Falling for the phishing bait means exposing taxpayer data to theft. Thieves also are interested in stealing preparers’ e-Services passwords, Electronic Filing Identification Numbers (EFINs), Centralized Authorization File (CAF) numbers and Preparer Tax Identification Numbers (PTINs.)
From January through May, there were 177 tax professionals or firms who reported data thefts involving client information involving thousands of people. The IRS currently is receiving three to five data theft reports a week from tax practitioners.
“We’ve been warning tax professionals that they are increasingly the targets of national and international cybercriminal rings. These syndicates are well-funded, knowledgeable and creative. It’s going to take all of us working together to combat these identity thieves,” Koskinen said. “But doing nothing or making a minimal effort is no longer an option. Anyone who handles taxpayer information has a legal responsibility to protect it.”
The Anti-Phishing Working Group (APWG) reports the total number of unique phishing attacks in 2016 topped 1.2 million – a 65 percent increase over 2015. APWG says it sees over 92,000 unique phishing attacks every month and each attack could involve millions of emails.
Verizon’s annual report on data breach investigations says one in 14 users are tricked into opening a link or attachment from a phishing email. Some 25 percent of victims were duped more than once.
The 2017 Verizon report adds that the vast majority of successful attacks – 95 percent – include some sort of malware installation that allows the thieves to export data or take control of the targeted computer.
The 10-week “Don’t Take the Bait” campaign begins July 11, coinciding with the opening of the first IRS Nationwide Tax Forum at Orlando, Fla., and ends September 12 with the final Nationwide Tax Forum at San Diego.