The IRS warns that tax professionals are increasingly the targets of phishing scams. Increase cyber security and beware of email that appears to be from friends, customers or companies.
In conjunction with their Security Summit, the IRS has launched a campaign entitled, “Don’t Take the Bait” as part of their Protect Your Clients, Protect Yourself series. As tax professionals, we need to remember that we have a legal obligation to protect taxpayer information.
How the Scams Work
They are called Phishing scams: they trick the email recipient into opening an infected link or attachment, giving the hackers access to user names and passwords to critical accounts. Tax professionals are an increasingly popular target because we hold the data for multiple clients.
Thieves can better present themselves as legitimate tax payers when they have stolen information from tax practitioners, making it harder for the IRS to tell whether a return is suspicious.
How Prevalent is it?
- 92,564 unique phishing attacks per month are reported to the Anti-Phishing Work Group
- Over 100 billion (with a “b”) spam emails are sent every day
- More than 85% of all organizations have been targeted, according to Phishing.org
- One in 14 users have been tricked into opening one of these emails (25% of those have been fooled more than once)
- 95% of these phishing attacks include a malware installation that allows the phisher to take control of the computer system
- 81% of the scammers used stolen or weak passwords (according to Verizon’s annual data breach investigation report)
What can we do?
Tax professionals can be more vigilant. Even with the high volume of email we receive every day, consider every email before you open it:
- Once you open the email, is the message consistent with previous emails or language from that individual or company?
- DO NOT click on any link that looks remotely suspicious. Call the client or company to verify that the email is legitimate.
- If the email looks legitimate and is asking you to click on a link to access your account, DO NOT click on it. If it’s a legitimate request, you will be able to log into your account on the company’s website to access the information.
- Spread the word to everyone in your organization. It only takes one person in a network to click on an infected link to allow malware into your entire system.
The IRS currently receives 3-5 reports of data theft from tax professionals every week. If you suspect that you have been the target of an email scam, report it to one of the organizations above or directly to the IRS. In the meantime, increase your security measures and Don’t Take the Bait!