New Phishing Email Masquerades as e-Services Security Notice and Then Steals the Professional's Credentials

Scams to steal information from tax professionals just keep coming, and the latest is a phishing email detailed in IRS News Release IR-2016-145.  This phishing scam is looking to obtain e-services credentials for tax professionals and, like most good phishing scams, the email looks just credible enough to get someone not paying attention (or simply not aware of how email and phishing works) to provide the requested information.

A good phishing email must look like something the recipient would expect to see—and often takes advantage of a mark’s awareness that something has changed, relating the email to that change.  In recent years that’s quite often been to cloak the email scam in the guise of increased security (and, yes, I’m sure the scammers find the irony amusing).

This new one is of that type.  As the IRS notes:

The scammers are attempting to exploit current IRS efforts to strengthen the e-services authentication process and its ongoing communications with tax professionals about their accounts. Scammers are attempting to steal e-services usernames and passwords or even more personal data through a registration page.

More specifically, the email exploits news stories regarding leakage of data from the IRS (even though it was never e-services data) and goes on and throws in the “state-sponsored actor” source of the attack (for those who have heard such vague statements regarding various other attacks in the news recently), as wells the fact that IRS is making changes to e-services to increase security.  As the IRS notes:

The scammer email tells recipients that information was stolen from certain user accounts in 2015 from a state-sponsored actor. It says users are being asked to upgrade their e-service account to ensure protection of their information. It asks them to click on the login to access their accounts for security upgrade.

The IRS is in the process of upgrading e-services security and has been in communication with tax professionals about updating their accounts.

The IRS notes details on this email:

The subject line for the fraudulent email is "Security Awareness for Tax Professionals." The "From" line is "Your e-Services Team." It has both an IRS logo and an e-services logo that hyperlinks to a URL verified as a phishing site. The spoofing site poses as an e-services registration page.

Clearly, if this email arrives in your inbox it should be deleted immediately and not acted upon.  As well, all other members of your firm with access to e-services should be notified of this scam.

If a professional has already fallen for the scam, the IRS gives the following advice:

If e-services users have already clicked on the fake logo and provided their username and password, they should contact the e-services help desk to reset their accounts. If the same password is used for other accounts, these should be changed as well. As an extra precaution, users should perform a deep security scan on their computers, re-evaluate their security controls and be alert to any other signs of identity theft or data compromise.

Advisers should never go the IRS e-services page (or any other important page) by clicking on a link in an email.  A link in an email can send the user anywhere—and certainly doesn’t need to send the user to the site it claims to be sending you to, even if it shows a full website URL as the link.  It’s also trivial to format an email to look just like the official emails send from any organization (including your firm, or that of one of your clients).

Put simply, your email client and browser (or, more specifically the HTML code they are displaying) can be easily made to lie to you.

The IRS then goes on to remind professionals of the recommendations that came out of this year’s security summit:

The IRS, state tax agencies and tax industry partners working together through the Security Summit have an awareness campaign underway called Protect Your Clients; Protect Yourself. The objective is to remind tax professionals they increasingly are the targets of identity thieves seeking ever larger amounts of taxpayer data to file fraudulent tax returns.

Security Summit partners recommend tax professionals:

  • Always use robust security software
  • Use encryption software to protect taxpayer data
  • Use strong passwords and change them often
  • Learn to recognize phishing emails attempting to steal data
  • Never click on links or download attachments from suspicious emails
  • Beware of any communications claiming to be the IRS that are outside normal channels

I would modify that advice as follows:

  • Never download attachments from any email until you confirm with the purported source that an attachment was sent (preferably clients should upload data via a secured portal)
  • Never click links on emails, period.  (That simple step would stop most phishing emails from being effective)
  • Be suspicious of any purported communications from the IRS, your tax software vendor, current or prospective client