The IRS posted a Security Summit Alert in News Release IR-2017-126 regarding a new phishing scheme that has been reported to the agency that attempts to get usernames and passwords from tax professionals for their tax software provider accounts.  Unfortunately, one of the IRS’s suggestion to keep from getting caught arguably misses the mark and may make users more likely to fall for such scams.

Phishing is the attempt to get users to disclose various types of confidential information by using an email that appears to be legitimate.  The technique works around users who believe problems only occur if they open emails from “unknown” senders or who are simply harried and see what, on the surface, appears to be a reasonable request.

Image copyright Copyright: ivelinradkov / 123RF Stock Photo

Due to an increase in phishing attacks directed at preparers, the IRS announced that many of those who have e-services access to transcripts and have used the service will in the past year will need to revalidate their accounts or risk losing access (IRS Website, Important Update about Your e-Services Account).  However, those who registered after May 2016 will not be required to validate their identity, since the IRS has been using the “Secure Access” validation system since that date.

Image copyright merznatalia / 123RF Stock Photo

Due to identity theft and phone scams, the IRS has been modifying its guidance to employees to move away from making initial contact with a taxpayer via phone calls, instead moving towards requiring IRS employees to first send letters via mail to initiate contact.

The IRS has issued guidance to field employees in SBSE-04-0916-0023 that is similar to guidance previously issued for payroll tax exam and FTD deposit alert contacts.  This memorandum now orders field examination employees to make first contact via mail, and has interim revisions of various sections of Internal Revenue Manual 4.10.2.8, 4.10.2.9 and 4.10.2.10.

Images Copyright andreypopov / 123RF Stock Photo

In response to a report from the U.S. Treasury Inspector General for Tax Administration (Processes Are Not Sufficient to Assist Victims of Employment-Related Identity Theft, Reference Number: 2016-40-065) the IRS announced that it will begin a program to notify individuals whose social security numbers have been used in employment-related identity theft uncovered by the agency beginning January 1, 2017.

The TIGTA report looked at the state of matters related to employment related identity theft—that is, when a person uses the identity of another person to obtain employment.  Given that employers today are supposed to “verify” the social security number of potential employees vs. government data bases or face penalties if it is found to have hired individuals not authorized to work in the United States, it’s not surprising there is an active market in obtaining such “verifiable” identities.

Image Copyright zimmytws / 123RF Stock Photo

Just less than a month after indicating that initial contacts for employers who may be falling behind in their federal tax deposits will not be made by phone, the IRS has added another category to the "don't call first" list.  the same guidance has now been issued related to payroll exams looking at tip reporting, with SBSE Memo SBSE-04-0816-0031 providing that initial contact in those cases will not be conducted by telephone.

The IRS is reacting to the increasing number of scam phone calls to taxpayers claiming to be from the IRS and threatening dire consequences if some action is not taken immediately.  In response the IRS is working on modifying guidance in the Internal Revenue Manual to limit cases where the first contact with a taxpayer will be by phone.

Image Copyright coramax / 123RF Stock Photo

In March the IRS shut down the online system to retrieve an IP PIN, a development we noted at that time (see this article).  The IRS has now opened the site back up with what the agency claims are more stringent authentication requirements for taxpayers that should make it more difficult to fraudulently obtain such IP PINs.

The system is using the same more stringent authentication requirements that it required when it reopened the program to get a transcript online, a development we discussed in this article.

In SBSE Memo SBSE-05-0716-0035 the IRS announced a change in procedure related to contacting taxpayers for federal tax deposit (FTD) alerts. Now the IRS will not make phone contact on the matter until a notice of alert is mailed to the affected taxpayer that they will be contacted by phone by the IRS within 15 days.

Fraudulent calls from individuals claiming to be from the IRS has become a major problem, making it very difficult for taxpayers to recognize legitimate phone contacts from the IRS. Unfortunately, one of the reasons why the frauds are effective is because the IRS has resorted to phone contact of taxpayers in the past as initial contacts in certain situations.

The IRS has posted information from 2016 Security Summit outlining steps the IRS and other parties have taken to attempt to combat income tax refund fraud and identity theft in News Release IR-2016-94 and Fact Sheet FS-2016-21.

The Security Summit project, which began in 2015, involves the IRS, state taxing agencies and interested private sector organizations in developing responses that attempt to deal with the problems of tax related identity theft and refund fraud. Beginning July 1, 2016 the Security Summit will work under the auspices of the Electronic Tax Administration Advisory Council (ETAAC), with ETAAC’s charter expanded to deal with identity theft.

Yet again the IRS’s Electronic Filing PIN program was subjected to attack, following an attack in February. In the original problem IRS web systems were attacked using information that the perpetrators had acquired from other services. In a statement the IRS described the attack on their system.

In June the IRS announced on their website they had detected another attempted attack upon their system.

The Fact Sheet (FS-2016-20) issued with the News Release contains the following details on accessing and using the system.

The IRS has relaunched the “Get Transcript” online service with what the agency claims is a more rigorous process than the one that previously existed (News Release IR-2016-85).  In May of 2015 the IRS announced that it had discovered there had been unauthorized access to taxpayer’s transcript via the “Get Transcript” online service.  While the IRS initially estimated the unauthorized access to involve 100,000 taxpayers, by February of 2016 that estimate has ballooned to over 720,000 taxpayers.

While the unauthorized parties were able to access about ½ of the accounts they tried to break into, even under the old system many legitimate taxpayers were unable to complete the process.  As would be expected, with the IRS tightening controls on who can get it, even more taxpayers will likely find themselves unable to answer the questions—and some will simply be barred from accessing the transcript online due to the new requirements.

Earlier this month we had reported (see Policy Change Means IRS Will No Longer Initiate Audit Contact With Taxpayers Via Phone) that the IRS, responding to complaints at a Taxpayer's Advocate forum in Iowa, had pledged to implement a new policy where the agency would no longer contact taxpayers by phone to initiate tax exams.

One thing you can say for scammers—they react quickly as people become aware of one form of scam and move on to vary their approach so the mark is now confused that this call might be a real issue.  In News Release `IR-2016-81 the IRS noted that scammers have now moved on to making dunning calls for a non-existent tax, not just a non-existent tax bill.

In the latest scam to be described by the IRS, the caller claims the taxpayer has an unpaid “student tax” for which payment must be made immediately.  In one sense this sort of attack is a stroke of genius, since there are individuals that owe taxes, student loans or both, so this sort of confused combination likely dupes people who now are no longer sure what is being asked for.  As well, actual students often are used to interacting with the tax system, and so won’t as quickly recognize that the IRS simply doesn’t function in that manner.

After practitioners in Iowa complained in a meeting with Taxpayer Advocate Nina Olsen about the IRS initiating audits in that state via phone contact with taxpayers that was reported by Tax Notes, the IRS has decided to change that policy.

Practitioners had complained that such IRS contacts via phone were confusing to clients whom they had warned about fraudulent calls from people claiming to be with the IRS demanding payment, citing IRS statements that the “IRS doesn’t call first” with regard to such collection cases.

The problem of security and tax refund fraud unfortunately continues to create new developments, and this time the issue involves the IRS’s online IP PIN recovery system.  The IRS has announced it is shuttering the online IP PIN recovery system in an announcement posted on its website (“IRS Statement on IP PIN”).

On March 1, 2016, Brian Krebs (an IT security journalist whose writing we are referring to all too often in tax matters recently) posted a story describing a CPA who had her own IP PIN hijacked by unauthorized parties (“Thieves Nab IRS PINs to Hijack Tax Refunds”).  The story went on to discuss the flaws inherent in the IRS’s online IP PIN recovery process, a criticism Brian had leveled at the system back when the online transcript breaches took place last year, noting the IP PIN system used the same type of “identity confirmation” as that system.

One of the victims of the W-2 phishing scam discussed previously on this site turned out to be Seagate Technology, the large hard drive maker per a story published by Brian Krebs on March 6 (Seagate Phish Exposes All Employee W-2’s).  On March 1, 2016 (the same day the IRS news release on the scam was released) an employee received an email he/she believed was a legitimate request from someone in the company.  In response the employee sent off W-2 information for 2015, apparently for all employees of this very large company.

It is likely safe to assume that the IT staff at Seagate is larger than that at most CPA firms and also available around the clock.  Most small CPA firms don't have an IT person on staff, but rather use an outside consultant to maintain the network, with security being one of many things this person keeps track of, with the firm being one of many organizations the consultant does work for.

One of the many ways scammers attempt to either obtain information from individuals in organizations or get them to take actions that they shouldn’t take is to send an email to the individual purporting to be from a high placed individual in the organization that requests or demands immediate action.  The IRS has issued a notice that such a spoofing email scam is now aimed at getting payroll information from organizations (“IRS Alerts Payroll and HR Professionals to Phishing Scheme Involving W-2s”).

Too many individuals are woefully unaware of how easy it is to “fake” a from address in an email.  Frankly it’s a trivial exercise, but the fact that users tend to accept the from address at face value allows a nefarious party to send an email purporting to be from the President, CEO, etc. of the company asking for information to be sent or some action to be taken.

The IRS again revised upwards its estimate of the number of individuals whose information was accessed in the attack on the IRS’s “Get Transcript” application, raising the number to more than 720,000 affected taxpayers.  Earlier the IRS on May 26, 2015 announced in a statement published on the agency’s web page that criminals had obtained access to information about 100,000 taxpayers via unauthorized use of the IRS’s “Get Transcript” application.  In a similar number of cases the perpetrators had attempted to gain access but failed to do so.  The information accessed included Social Security information, date of birth and street address.

Later, on August 17, 2015 the IRS announced the problem was larger than initially revealed, indicating that further research had found that the number of taxpayers who had information accessed was now found to be 330,000—and, a similarly larger number of taxpayer accounts had unsuccessful attempts to access the data.  Now the number has been revised upwards again.