IRS warns of ongoing twists on phishing scams

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

The Internal Revenue Service and its partners in the Security Summit are warning tax professionals against a new variation on an old scam in which fraudsters use pandemic-related themes in their phishing attempts to steal client data.

The Security Summit noted that, with so many people working remotely, fraudsters will pose as clients or potential clients trying to get in touch with a tax pro digitally — whether through emails or text messages — and then try to trick them into clicking on links or opening attachments that infect their computer systems.

“Identity thieves have been relentless in exploiting the pandemic and the resulting economic pain to trick taxpayers and tax professionals to disclose sensitive information,” said IRS Commissioner Chuck Rettig in a statement. “Fighting back against phishing scams requires constant vigilance, and we urge tax pros to take some basic steps to help protect their clients and themselves.”

Whether they’re phishing emails or “smishing” texts or instant messages, the fraudulent messages will usually appear to come from a known and trusted sender — a client, a colleague, a bank or even sometimes the IRS itself — and aim to project a sense of urgency to encourage the tax pro to act quickly and without taking basic precautions.

That said, in a recent version of the scam that the IRS described as “reoccurring and very successful,” the fraudsters engaged with their targets over a period of time, exchanging a number of emails with the tax professionals before finally sending them an attachment that they claimed was their tax information, but which actually downloaded malware onto the tax pro’s computer when they opened it.

Since the large amounts of valuable client data that tax professionals handle make them a natural target for scammers, the IRS strongly recommends that practitioners at least take the following steps to start protecting themselves and their clients:

  • Using two- or multifactor authentication;
  • Keeping antivirus software updated;
  • Using drive encryption; and,
  • Regularly backing up files.

For more, see the IRS’s Publication 4557, “Safeguarding Taxpayer Data.”