The scam the IRS is warning about specifically is looking to obtain tax professional’s e-services portal information and EFINs, asking professionals to update their information. The scheme appears to be intended to capture the professional’s e-services user name and password.
The IRS notes that advisers should ignore the email and should not click on the links provided.
Of course that advice is of use primarily for this single scheme. What is more important for tax professionals is to understand the inherent risks involved in links transmitted via email.
Specifically, such links do not go where they may claim to go. I may tell you the following link goes to the University of Arizona’s website, or even give you a clickable link that looks like http://www.arizona.edu. Of course, as you’ll note if you click either of those links, that’s not where you’ll end up. This works because our emails today tend be “pretty” emails—and that “prettiness” comes from using HTML that makes it all too easy to hide what’s really going on.
In a phishing scam the site you are redirected to will make it clear, as the link did above, that you have not been sent where you believed you were going. Rather in that case the site will look like the IRS site—but it will not be that site.
So what should you do? The simplest rule is never take action via an email if you did not request the item—so if an email arrives in your mailbox unsolicitited, no matter who it is from, do not click the link. Rather, either type the address of the website you are supposed to go into your web browser or contact the party sending the email via phone (you remember those, right?) to insure that the mail in question was truly sent to you and that it is appropriate to click the link.
You need to also insure that your staff is aware of these issues as well. While these scams looked to get IRS credentials, targeted phishing scams can be used to gain access to your internal networks and data. Thus it’s simply a requirement that all tax professionals have a complete understanding of cyber-security basics.