The IRS spotted highly sophisticated attacks against tax firms this year. The hackers gained remote access either through phishing or malware and with it they were able to get into the cloud storage accounts having files of the clients. In one of the cases, the intruders quietly kept downloading and accessing the information of taxpayers for around 18 months before they were caught. The Internet Crime Complaint Center of FBI reported that there was a loss of $57 million of the people to phishing schemes in a year. The IRS and the Security Summit partners have warned tax professionals to be attentive to the new phishing scams that are trying to take advantage of the Corona Outbreak, Economic Impact Payments, and increased teleworking by practitioners.
The IRS, state tax agencies, and the nation's tax industry urged tax firms to review and enhance the data protection blueprint as cybercriminals have stepped up in their efforts of stealing client tax information. Criminals are targeting tax professionals as well as taxpayers. The initiative by the IRS of security summit, the private-sector tax industry, and state tax agencies highlights basic security steps for all practitioners, but especially those who are working remotely in response to the pandemic.
If we get into the history of phishing scams then we can see some of the biggest names there that fell into the trap like Facebook, Google, Crelan Bank, FACC, Upsher-Smith Laboratories, Ubiquiti Networks, Leoni AG, Xoom Corporation, and more. So from that, we can understand the caliber of the criminals and understand that we need to learn the proper way to tackle the phishing scams.
Whether it is a large corporation, a small business, or a medium-sized company, Phishing is considered to be one of the most dangerous threats to the business. Chuck Rettig, the IRS Commissioner said that “The coronavirus has created new opportunities for cybercriminals to use email to try stealing sensitive information. Let us look at some of the methods that hackers use for the purpose of phishing.
The Phishing Methods
Phishing emails are the most common form of phishing, and messages such as your account password expired come up in the mail. There is a link or attachment in the mail that looks quite official. Clicking on that link may take you to a site that looks like a trusted source but is actually fake. The site requests your username and password, or the attachment can contain malware that would secretly download another malware that tracks keystrokes. With the keystrokes, it becomes quite easy for the hacker to steal all the passwords of a tax professional. During the corona outbreak, the scammers have presented themselves as providers of face masks or personal protective equipment in short supply. The hackers also used other tactics against the taxpayers as well as the tax professionals while impersonating the IRS or potential clients and calling or emailing requests to send the economic impact payments for bank account information
Several signs of warning that may indicate a phishing scam include:
- Asking customers to confirm personal and/or financial information.
- Including links to questionable or suspicious websites, email addresses, or attachments. Never click or open anything that does not come from a trusted source.
- Poorly written or communicated messages.
- Stating immediate action must be taken to avoid consequences.
- Claiming to be from DOR or the IRS, asking for personal information when neither agency will ever ask for personal information via email.
- Additionally, tax professionals, payroll offices, and human resources staff should be on high-alert when asked for W-2 or banking information. Scammers often pose as employees and target these groups in search of personal information to file fraudulent returns.
These are some of the signs, now let us move to the preparation that we need to fight against the phishing scams.
How To Be Prepared For The Phishing Scams
There has been an issue of warning recently by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) for educating employees, especially the teleworking, about the phishing scam activities that have increased. People are practising social distancing these days, and the criminals are exploiting this process by tricking the tax professionals into opening links or attachments.
The Security Summit has urged the tax professionals to create the policies of trusted customers and do the contacting with potential clients via phone or video conference.
- Keep the operating system and applications updated to the latest versions and update antivirus and security software.
- Use a trusted email service that flags questionable emails; for example, Gmail displays an alert at the top of an email if the communication or sender appears untrusted. It is important to note that these services are not completely foolproof, although it offers more protection than nothing at all.
- The two-factor authentication process adds another layer of protection to prevent unauthorized parties from accessing an account.
- External hardware authentication devices, called security keys, are the most secure form of 2FA, acting as a physical key to protecting online accounts. While a password is something a user knows, the security key provides something you have, and without it you cannot access your account, successfully combating hackers.
With the phishing emails being so common and successful, Summit partners have urged the tax professionals to educate all office personnel about the problems and risks of clicking on suspicious emails, especially during the pandemic period. The tax professionals and taxpayers really need to keep some of the important points in mind, let us delve into that.
Important Points for the Tax Professionals and Taxpayers
File your taxes early: If you file your taxes early, scammers planning to use your personal information to file a fraudulent return in your name will not be able to do so. They cannot file if you beat them to it.
Never click a link in an email that notifies you the availability of tax documents: When you open the browser, type in online W-2 your company or tax document retrieval service URL to avoid most of the common phishing scams. This ensures you enter the right website and get your documents safely.
Avoid impersonation scams of the IRS: The IRS never contacts you over the phone or email to ask for payment of an overdue tax bill. Criminals frequently make such calls and they can request payment by normal means or by prepaid gift cards, and any contact like this should be ignored.
Report a tax fraud: The IRS encourages taxpayers for sending suspicious emails related to tax fraud to email@example.com. The other forms of tax fraud could be reported by following these instructions.
If individuals receive any unexpected or suspicious correspondence appearing to be from DOR or the IRS, they can report it to:
Internal Revenue Service
Indiana Department of Revenue
Phone: 317-232-2240, Monday through Friday, 8 a.m. – 4:30 p.m.
If you already know your data has been compromised, remember the Federal Trade Commission’s website has information to help you determine your next steps at identitytheft.gov.
Ultimately, individuals are empowered to play an active role in stopping phone and email phishing scams during tax time. Learning to recognize illegitimate emails and text messages, implementing personal solutions, and taking advantage of government resources will help ensure a safe and successful end to what has been a challenging financial year.