IRS Tax Tip 2022-136, September 6, 2022
Even a savvy person can get duped by a phishing email if they don’t know the warning signs of a scam. It’s unfortunate when anyone is fooled by an identity thief, but tax pros especially need to be aware of evolving scams that steal client data.
Criminals often pose as potential clients in fraudulent emails and texts
Securing their network to protect taxpayer data is a key responsibility for tax professionals, so they need to be aware of malware and scams. Tax pros are a common target for scammers who use phishing emails or texts to try and trick them into sharing personal information or clicking on malicious links and attachments that can compromise data.
These criminals often pretend to be potential clients, exchanging several emails with the tax pro. Once they’ve earned the tax pro’s trust, they send an email with a link or attachment they claim is their tax information. When the tax pro clicks on the link or opens the attachment, malware secretly downloads onto their computer, giving thieves access to passwords or remote computer access.
Once thieves are in the system, they can steal taxpayer data and their refunds
Thieves can use malware to take over a tax professional’s computer system and steal refunds by identifying pending tax returns, changing the bank account information, completing the returns and e-filing them.
Criminals will also use ransomware attacks to shut down a company. When the unsuspecting target opens a link or attachment, malware attacks the computer system to encrypt files. The thieves then hold the data for ransom.
Storing taxpayer data on a cloud-based system with weak security is another risk
Thieves will often take advantage of weak security on cloud-based systems storing client data. Tax pros should ensure they’re using strong multi-factor authentication whenever they use a cloud-based system. Once thieves access the system, they can use existing data from taxpayer returns to file new tax returns for the refunds.
There are many forms of multi-factor authentication available text-based or email-based, authenticator apps, push notifications and Fast Identity Online or FIDO. More information is available on the Cybersecurity and Infrastructure Security Agency website.
Tax pros can take a few basic security steps to help protect client data by:
- Using the two-factor or the multi-factor authentication option offered by tax preparation providers or storage providers to protect client accounts, even if passwords are stolen.
- Keeping anti-virus software automatically updated to help prevent scams that target software vulnerabilities.
- Using drive encryption and regularly backing up files to help stop theft and ransomware attacks.