The humble phishing scam is one of the oldest grifts in the Digital Age. Despite their age, these scams remain remarkably effective. Part of that success is derived from constant evolution, and the Security Summit is dedicating the fourth installment of its “Working Virtually: Protect Tax Data at Home and at Work” educational outreach to warning tax professionals about a raft of new scams that could soon fill inboxes.
Since COVID-19 forced many businesses to adopt some form of telework, the annual Security Summit event is focusing on remote-work data security tips for tax professionals. While previous weeks have emphasized the need for adopting newer data security tools like multi-factor authentication and Virtual Private Networks, this week goes back to the basics.
What is a phishing scam?
Phishing scams pose as a trusted sender to trick victims into providing personally identifiable information. While chain letters and phone calls are some of the oldest forms of phishing, email scams are probably the most prolific due to how easy they are to create and send. Here are two basic things to remember about phishing emails:
- Phishing emails often impersonate major retailers and people you know personally, and the IRS warns that they tend to have “urgent” subject lines, like “your account has expired.” For tax professionals, IRS Commissioner Chuck Rettig says that list often includes “a client, your software provider, or even the IRS.”
- Phishing emails often contain attached files or embedded links that install malware designed to steal your information or directly take over your accounts—whether by using stolen usernames and passwords or installing a type of remote-access malware.
One key takeaway is that you should never click on anything in these emails, and you should never send a response to the sender (regardless of how funny and satisfying that TED Talk is). Remember, these criminals are very skilled at tricking people into providing information via back-and-forth conversations. Instead, you should alert the proper authorities. In this case, that means starting by forwarding the email to the IRS scam-reporting email address: firstname.lastname@example.org.
What are the NEW phishing scams targeting tax professionals?
New phishing scams are impersonating legitimate coronavirus resources, often “by presenting themselves as providers of face masks or personally protective equipment in short supply.” The IRS says that scams more focused on tax professionals have posed as current or potential clients asking for more information about Economic Impact Payments. And if another round of EIPs is signed into law this year, expect phishing scams tailored to that legislation.
How do I learn more about phishing scams?
The IRS.gov “Identity Theft Central” aggregates information related to all forms of identity theft, breaking down topics according to individuals, tax professionals, and businesses. Visitors will find links to the “Taxpayer Guide to Identity Theft” and the Security Summit’s “Taxes. Security. Together.” campaign, and it serves as an excellent starting point for learning more about identity theft. The Working Virtually press release also includes links to relevant documents:
- IRS Publication 5293, Data Security Resource Guide for Tax Professionals
- IRS Publication 4557, Safeguarding Taxpayer Data
- NIST Small Business Information Security: The Fundamentals
Check back with us next week for the final installment of the Security Summit’s Working Virtually campaign.