The Atlanta Journal-Constitution
Tax professionals told not to ‘take bait’
Hackers doing end-run around consumers with phishing epidemic.
ID crooks and hackers are doing an end-run around you by targeting your tax pro with what the Internal Revenue Service calls a phishing epidemic.
According to the IRS, there were 177 tax professionals or firms that reported data thefts involving client information relating to thousands of tax filers from January through May.
The IRS said it is receiving three to five data theft reports a week from those who prepare taxes.
Not all the data breaches involve phishing. But the IRS has spotted enough trouble that the agency is conducting a 10-week campaign called “Don’t Take the Bait” to educate tax professionals about the need for extra care.
Think about it: We hand all sorts of data over to our accountants and tax professionals each year. Bank account numbers for direct deposit information. Social Security numbers for our children. The names of the places where we bank or invest.
Tax files can hold all sorts of data that can easily be used by hackers or sold on the dark web.
“Either they use it or they will sell it,” said Luis D. Garcia, an IRS spokesman in Detroit.
ID thieves, like other con artists, tend to do their homework to seem legitimate and quite convincing the first time they send a scam email, Garcia said.
Fraudsters can do research via social media and other sites to better craft their pitches.
Joseph DeGennaro, tax director for Doeren Mayhew in Troy, Mich., said he recently attended a joint conference with the Internal Revenue Service and the Michigan Association of Certified Public Accountants.
“And every topic segued into cybersecurity and identity theft issues. This is the main emphasis of the IRS today,” DeGennaro said.
Scams can vary. In some cases, an email can be disguised to look like it is an alert from a tax client, a potential client or even a tax software vendor.
“They send you an email and they say we have this tax software we’d like you to try. ‘Please click here,’” said Audrey M. Victor, senior manager and certified public accountant for Rehmann Robson in Troy.
By clicking here, though, you’re often taking the first step to having some data compromised.
What’s interesting is that more people open those links or attachments than you might expect.
The Verizon Data Breach Investigations Report warned that in general one in 14 users are tricked into opening a link or attachment from a phishing email. A quarter of the victims have been duped more than once.
In some complex cases, it’s possible to use tax form data and earlier invoices in a scam to get a business to wire money to con artists who are pretending to collect on another bill.
In some cases, the ID thieves can send an email, pretending to be the legitimate client, and request that their income tax refund be directly deposited into a different account.
Internal Revenue Commissioner John Koskinen said national and international cybercrime rings are targeting the tax professionals and businesses.
“We urge the tax professional community: Beware your inbox. Don’t take the bait from these phishing scams,” Koskinen said in a statement.
While tax professionals take protecting data seriously, Koskinen’s statement indicated that many still “overlook basic security steps.”
“Doing nothing or making a minimal effort is no longer an option,” he said.
As part of its Security Summit program, the IRS and others in the tax industry are holding an educational series to focus on the need for added computer security and awareness to combat email scams that begin simply enough with fraudsters identifying themselves as friends, customers or well-known companies.
“Tax professionals must remember that they have not just an obligation, but a legal requirement under federal law to protect taxpayer information,” the IRS said.
To promote security, the IRS issued booklet, “Safeguarding Taxpayer Data.”
The checklist covers tips on how to put safeguards in place, train staff and make sure that the employee who leaves or is terminated returns laptops and other property that could allow access to taxpayer information.
Victor said tax professionals, including CPAs and enrolled agents, know it needs to be a top priority when it comes to making sure that a client’s information remains confidential.
“We understand we have highly sensitive information, and we do everything in our power to protect it,” Victor said.
In some cases, tax professionals work to educate clients, as well, about how to use the email system to exchange data safely. The IRS checklist, for example, notes that it’s important to encrypt taxpayer information when attached to email, and to require periodic password changes.
Other scams target employers and payroll service providers who have large stacks of W-2 data. Fraudsters want to engineer a big theft of sensitive personal data that can be used by criminals or sold on the black market to craft fraudulent tax returns and commit other ID-related crimes.
When it comes to seek W-2 data bases, the phishing email can look like it’s from the top brass at a company, such as the owner of the business or the chief financial officer.
But seriously - would the CEO really be requesting a list of employees and information including Social Security numbers?
In many cases, employees just naturally respond too quickly to any email if it looks like it’s from the boss.