We already know that tax professionals aren’t immune from those Internal Revenue Service (IRS) scams. Now, IRS is alerting tax professionals that they are a specific target in a new kind of phishing email scam.
In the new scheme, scammers send tax pros emails pretending to be from tax software companies. As part of the email scheme, the tax professional is asked to download and install an important software update via a link included in the e-mail. The catch? The link points to a website which asks the tax pros to download a file which appears to be a software update: the file uses the software name followed by the “.exe” extension.
It looks real and upon completion, tax pros believe they have updated a software program. In reality, they’ve installed spyware designed to track key strokes on the computer (you might have heard this referred to as “keylogging” or “keystroke logging”). This is a common tactic used by cyber thieves to steal login information, passwords and other sensitive data. Once thieves steal PIN codes, account numbers and passwords, they can use this information to steal your identity (or the identity of your clients) to file fraudulent tax returns or hack into your bank accounts.
The IRS has only received notice of a handful of these cases so far, which were identified as part of the IRS Security Summit process. However, the IRS warns tax pros to be on the lookout for these scams and never to click on unexpected links in emails.
The IRS urges all tax pros to take the following steps:
- Be alert for phishing scams: do not click on links or open attachments contained in e-mails and always utilize a software provider’s main webpage for connecting to them.
- Run a security “deep scan” to search for viruses and malware;
- Strengthen passwords for both computer access and software access; make sure your password is a minimum of 8 digits long (more is better) with a mix of numbers, letters and special characters;
- Educate all staff members about the dangers of phishing scams in the form of emails, texts and calls;
- Review any software that your employees use to remotely access your network and/or your IT support vendor uses to remotely troubleshoot technical problems and support your systems. Remote access software is a potential target for bad actors to gain entry and take control of a machine.
The IRS also recommends that tax pros check out Publication 4557, Safeguarding Taxpayer Data, A Guide for Your Business (downloads as a pdf), which provides a checklist to help safeguard taxpayer information and enhance office security.
The IRS is increasing information geared towards tax professionals and data security as part of it new campaign to raise awareness about identity theft issues targeting the tax industry. The Protect Your Clients; Protect Yourself campaign features an ongoing effort to urge tax professionals to step up their security protections and be aware they increasingly are targets of cybercriminals.
In addition to the steps above, IRS advises tax pros to check their preparer tax identification number (PTIN) accounts to ensure the number of returns filed using their identification number matches IRS records. You can monitor “Returns Filed Per PTIN” online using the PTIN system. The system is available to tax pros who have a professional credential (Enrolled Agent, Certified Public Accountant, Attorney, Enrolled Retirement Plan Agent or Enrolled Actuary) or are an Annual Filing Season Program participant, and have processed at least 50 tax returns from the Form 1040 series in the current year. If you don’t see any data in the system, that means that fewer than 50 returns have been processed with your PTIN.
The information in the “Returns Filed Per PTIN” chart is updated weekly. If the number of returns processed is significantly more than the number of tax returns you’ve prepared and you suspect possible misuse of your PTIN, complete and submit Form 14157, Complaint: Tax Return Preparer (downloads as a pdf), to the IRS.
Don’t confuse the online records system criteria with the normal PTIN criteria. To be clear, anyone who prepares or assists in preparing federal tax returns for compensation must have a valid PTIN for the current tax year before preparing returns. All enrolled agents must also have a PTIN.