New More Sophisticated Phishing Attacks Aimed at Tax Professionals

Tax season in 2017 is opening with a warning from the IRS about a new email phishing scheme targeting tax professionals found in News Release IR-2017-03.  This phishing scheme is more complex than most, as it involves a two-step process with the initial email enticing the preparer to respond, at which point the email containing the payload is then sent to the professional.

In the New Release labeled “Security Summit Alert: New Two-Stage E-mail Scheme Targets Tax Professionals” the IRS warned about this new scheme in which the party seeking to obtain information from a professional poses as a potential new client.  The IRS notes “[t]he scheme's objective is to collect sensitive information that will allow fraudsters to prepare fraudulent tax returns.”

The IRS describes the scam as follows:

These latest phishing emails come in typically two stages. The first email is the solicitation, which asks tax professionals questions such as "I need a preparer to file my taxes." If the tax professional responds, the cybercriminal sends a second email. This second email typically has either an embedded web address or contains a PDF attachment that has an embedded web address.

In some cases, the phishing emails may appear to come from a legitimate sender or organization (perhaps even a friend or colleague) because they also have been victimized. Fraudsters have taken over their accounts to send phishing emails.

The tax professional may think they are downloading a potential client's tax information or accessing a site with the potential client's tax information. In reality, the cybercriminals are collecting the preparer's email address and password and possibly other information.

The IRS provides the following suggestions on how to deal with the problem of unsolicited emails:

The IRS urges tax professionals and tax preparation firms to consider creating internal policies or obtain security experts' recommendations on how to address unsolicited emails seeking their services.

One tip: Never respond to or click on a link in an unsolicited email or PDF attachment from an unknown sender. As the IRS, states and the tax industry make progress in the fight against identity theft, cybercriminals are becoming more sophisticated in their efforts to steal additional client information. Criminals need more data in their effort to impersonate clients and file fraudulent returns to claim refunds, and schemes like this can help in this effort.

Separately, Citrix emailed a notice to those using its Sharefile service last week that it had become aware of emails being sent that appeared to be Sharefile emails giving a link to a file a party had uploaded to the service.  In reality these emails did not originate from Sharefile and if a recipient clicked on the link he/she would be sent to a site hosted in Poland at which point the payload would be delivered to the user’s computer. 

While Citrix has given notice to the service that hosted the fraudulent site to get it taken down, clearly the parties involved will simply need to take over another hosted account to continue the fraud. 

I have received a similar email sending in a “signed organizer” that claimed to come from another major secure file transfer site (SmartVault).  That one also contained a clickable “download” link that forwarded to a server in Poland so it seems likely this scam is the same one that Citrix was warning about.

Not surprisingly those looking to commit refund fraud are resorting to more sophisticated methods to obtain information to allow their fraudulent returns to evade tax agency screens and obtaining information that let them pose as a legitimate professional with a long history of using efile to send legitimate returns is an obvious step to take.

The best way to avoid this problem is simply not to click on the links in the emails you receive, as inconvenient as that may be.  That’s true even if the link claims to be coming from an existing client.  Instead go directly to your secure transfer service’s website, log in, and then check for new uploads on what you know is the actual server (be it for Sharefile, SmartVault or whatever system you are using).

But aren’t you protected if you have security software on your system?  Unfortunately the answer is no.  Security suites, including those that look for suspicious emails, are always one step behind those attempting such attacks—and, in fact, such attacks are generally first tested against the major security suites to insure the email won’t set off alarms.

Another option that is a real pain to implement but which clearly increases security is to have a machine not running Windows and not logged onto your network’s servers initially retrieve all such information.  For instance, a Chromebook or a laptop running a Linux distribution (like the one I’m writing this article on) could be used to download attachments and clear them before allowing them on the main network.  While this does not stop phishing where credentials are entered, and it does block malware from being installed.  First, such malware is almost always going to aimed at flaws in the operating system that is expected to be in use (Windows) and second, with your system not connected to your network there’s really nowhere for the malware to install itself to get data off of your servers.

But, ultimately, advisers simply are going to need to be alert to the fact that every email should be treated as a potential attack on your systems to steal client information.  While clicking links in emails to get client information may be convenient, it seems it is simply becoming too dangerous to treat as acceptable for a practice.