Yet Another Phishing Email Warning from the IRS

A new warning has been issued by the IRS to tax preparers regarding fake emails in News Release IR-2017-39. The phishing email arrives with a subject of “Access Locked” and seeks to take advantage of preparers who may have run into security procedures added this year in their software where too may failed attempts results in—denied access.

Phishing emails are often designed with the understanding that users are most likely to open and act on emails without thinking if the context makes sense with regard to a user’s current situation. One standard security procedure that has been added to most tax software is to lock users out after a certain number of failed attempts to access the software. Such lock outs also will be used on related web sites (such as those used for electronic filing of returns in certain software).

If a user has experienced a lock out just prior to receiving one of these emails, the user may be easily tricked into giving his/her information.

The IRS gives the following details about this fraudulent email:

The scam email comes with the subject line, “Access Locked.” It tells recipients that access to their tax prep software accounts has been “suspended due to errors in your security details.” The scam email asks the tax professional to address the issue by using an “unlock” link provided in the email.

However, the link will take the tax professional to a fake web page, where they are asked to enter their user name and password. Instead of unlocking accounts, the tax professionals actually are inadvertently providing their information to cybercriminals who use the stolen credentials to access the preparers’ accounts and to steal client information.

Unfortunately the IRS’s advice on this topic isn’t terribly helpful since it fails to deal with the “this email makes sense in context” problem. That advice in the news release reads:

The Security Summit partners, which includes the IRS, state tax agencies and the nation’s tax community, remind tax professionals and taxpayers to never open a link or an attachment from a suspicious email. These scams can increase during the tax season.

Since an email that happens to arrive at a time to cause it to make sense in context won’t be a “suspicious email.” For that matter, very few people would open an email and click through the links if they felt it was “suspicious.” Rather, advisers will fall for this specifically when an email arrives that, due to the context of the situation, simply does not appear suspicious.

The only safe action is to avoid clicking on links in emails in the first place and to treat all attachments (even those that claim to come from a client or colleague) as potentially dangerous.