Drake Software blog for tax pros, covering tax, IRS news, and more

Dirty Dozen: Phishing Not Just Aimed at Taxpayers Anymore

Dirty Dozen: Phishing Not Just Aimed at Taxpayers Anymore

The Internal Revenue Service kicked off its annual “Dirty Dozen” list of tax scams this week, and used the occasion to spotlight phishing schemes.

When these bogus email messages first showed up in the email in-boxes of taxpayers, they sought to fool the recipient into divulging personal information: Social Security numbers, logins and passwords.

Since those early days, though, the scammers have widened their sights, now putting tax professionals squarely in the crosshairs.

“Numerous data breaches across the country mean the tax preparation community must be on high alert to unusual activity, particularly during the tax filing season,” the IRS reminds. “Criminals increasingly target tax professionals, deploying various types of phishing emails in an attempt to access client data. Thieves may use this data to impersonate taxpayers and file fraudulent tax returns for refunds.”

The IRS has joined forces with the software industry, tax preparation firms, payroll and tax financial product processors and state tax administrators to help combat identity theft tax fraud and protect taxpayers. This is done as part of the Security Summit initiative which has helped to structure the IRS’ response to data theft threats.

The state tax agencies, tax industry partners and IRS officials making up the Security Summit encourage tax pros to be wary of communicating only by email with potential or existing clients – especially if unusual requests are made. Remember that data thefts have given thieves millions of names, addresses, Social Security numbers and email addresses. If a tax professional is in doubt about an email from a client or potential client, a telephone call can confirm the client’s identity.

The Latest Scams

Scams aimed at tax professionals, payroll or human resources personnel are on the increase. These targeted scams are known as Business Email Compromise (BEC) or Business Email Spoofing (BES) scams.

There are several variations of this kind of scam. Depending on the variation, the criminals pose as:

  • A business asking the recipient to pay a fake invoice
  • As an employee seeking to reroute a direct deposit
  • Or as someone the taxpayer trusts or recognizes, such as an executive, to initiate a wire transfer.

The IRS warned of the direct deposit variation of the BEC/BES scam in December 2018, and continues to receive reports of direct deposit scams reported to phishing@irs.gov. The Direct Deposit and other BEC/BES variations should be forwarded to the Internet Crime Complaint Center (IC3). The IRS requests that Form W-2 scams be reported to: phishing@irs.gov (Subject: W-2 Scam).

Anatomy of a Phishing Expedition

Phishing starts with an email that comes into your in-box looking all the world like it came from a client, a software provider or even the IRS. The suspect email invariably has a link and asks you to verify your information, or log in to your account. 

The link, however, sends the victim to the scammer’s website, where any information entered by the victim goes straight to the identity thief.

Whether through legitimate-looking emails with fake, but convincing website landing pages, or social media approaches, perhaps using a shortened URL, the end goal is the same for these con artists: stealing personal information.

Criminals may use the email credentials from a successful phishing attack, known as an email account compromise, to send phishing emails to the victim’s email contacts. Tax preparers should be wary of unsolicited email from personal or business contacts especially the more commonly observed scams, like new client solicitations.

Malicious emails and websites can infect a taxpayer’s computer with malware without the user knowing it. The malware downloads in the background, giving the criminal access to the device, enabling them to access any sensitive files or even track keyboard strokes, exposing the victim’s login information.

Tax professionals who receive unsolicited and suspicious emails claiming to be from the IRS or its tax-related functions such as the e-Services program should report it to: phishing@irs.gov. Forward the suspect message to the IRS, then delete it from your computer.

The Battle Continues

One thing is sure: Phishing is not likely to go away anytime soon, despite the consequences for the scammers.

 Both the Treasury Inspector General for Tax Administration (TIGTA), which handles scams involving IRS impersonation, and the IRS Criminal Investigation Division work closely with the Department of Justice to shut down scams and prosecute the criminals behind them.

But despite the efforts of the IRS, TIGTA and industry partners, the first line of defense against phishing is YOU, the tax professional. That’s why the IRS highlights one scam on 12 consecutive weekdays to help raise awareness.

“Taxpayers should be on constant guard for these phishing schemes, which can be tricky and cleverly disguised to look like it’s the IRS,” said IRS Commissioner Chuck Rettig. “Watch out for emails and other scams posing as the IRS, promising a big refund or personally threatening people. Don’t open attachments and click on links in emails. Don’t fall victim to phishing or other common scams.”

Bob Williams

Forget genes; I’ve got words in my DNA. Communication has been part of who I am nearly all my life. From a long career in radio news to another one in newspapers – and a University of Georgia journalism degree sandwiched between the two – language has been my life. I’ve also been fortunate to have learned the tax business from the ground up here at Drake, starting with 1040.com online forms some years ago before moving on to work on the Web. In all things tax-ish, we aim to give you tools you can use.