Phishing Emails Claiming to be Software Update Notices from Tax Software Firms Being Sent to Preparers

The IRS issued a warning regarding attempts to trick tax professionals to install malware on their systems by clicking on an “update” link for their tax software.  [IR-2016-103]  Once clicked, the “update” will install a keystroke logger that will send all of the preparer’s keystrokes (which will likely include important client information) to a third party—and we can presume that party is planning to use that information for various nefarious purposes.

The use of email to trick users into installing malware is very common—because it’s very effective.  If the email fits the general context that users expect (email from the software provider we use for tax software that is formatted as expected) and the message itself seems reasonable (there’s an important software update—perhaps even an extremely important one to avoid having your systems compromised) we will often click through on the email and follow its instructions without a second thought.

Given the limited number of software providers for professional tax software, this particular attack doesn’t really require the attacker to know what software a firm uses—if the attacker blankets all CPA firm addresses it has with an email claiming to be from, say, Lacerte or ProSystemfx, the “guess” will be right for a significant portion of the audience.

The IRS describes the attack as follows:

In the new scheme identified as part of the IRS Security Summit process, tax professionals are receiving emails pretending to be from tax software companies. The email scheme requests the recipient to download and install an important software update via a link included in the e-mail.

Once recipients click on the embedded link, they are directed to a website prompting them to download a file appearing to be an update of their software package.  The file has a naming convention that uses the actual name of their software followed by an “.exe extension.”

Upon completion, tax professionals believe they have downloaded a software update when in fact they have loaded a program designed to track the tax professional’s key strokes, which is a common tactic used by cyber thieves to steal login information, passwords and other sensitive data.

So what should preparers do?  First, never click on email links to update software but rather visit the vendor’s website to obtain updates and/or use the vendor’s own software update system that is installed on your computer.  Second, be sure all of your staff and partners are aware of this rule—because you should expect these scams will begin to include text that suggests that the “fix” must be undertaken immediately to avoid certain disaster (infiltration of your systems, client refunds being sent to the wrong bank accounts, etc.) to attempt to stampede someone in the firm to start the update.