IRS Notes Increase in Data Breaches from Tax Professional's Offices

In News Release IR-2018-68 the IRS warned tax professionals that this year a larger number than in the past have had their systems compromised.  The guidance warns professionals about the need to take steps to avoid having their own systems compromised.

The IRS describes a scam that I and many other CPAs I know have seen—the “New Client” scam, which appears to be ramping up once again as we hit the end of tax season.  As most of us are aware, these emails come with attachments purporting to be tax documents, but which are loaded up in various forms to deliver malware to the CPA’s systems if they are opened.

The IRS describes spear phishing attacks in general, and the New Client variant, in the news release:

A common tactic, called spear phishing, occurs when the criminal singles out one or more tax preparers in a firm and sends an email posing as a trusted source such as the IRS, e-Services, a tax software provider or a cloud storage provider. Thieves also may pose as clients or new prospects. The objective is to trick the tax professional into disclosing sensitive usernames and passwords or to open a link or attachment that secretly downloads malware enabling the thieves to track every keystroke.

The “New Client” scam is one form of spear phishing. Here’s an example: “I just moved here from Michigan. I have an urgent Tax issue and I was hoping you could help,” the email begins. “I hope you are taking on new clients.” The email says one attachment is the IRS notice and the other attachment is the prospective client’s prior-year tax return. This scam has many variations. (See IR-2018-2, Security Summit Partners Warn Tax Pros of Heightened Fraud Activity as Filing Season Approaches.)

The term “spear phishing” is meant to differentiate the attack from more general phishing attack.  In a general attack, the perpetrator will send out fraudulent emails to a very broad list that’s not specially selected.  In that case the email often will appear to come from a major company.  The perpetrator is “playing the odds” that a certain percentage of the recipients will have accounts with the spoofed company and will therefore open the email.

In spear phishing the perpetrator selects a much smaller list of potential victims that share some characteristic, and then create a fraudulent email that is tailored to be especially of interest to the selected group.  In some cases, the selected group may be a single individual or just a few individuals from a specific company or firm.  The smaller the targeted group, the easier it is for the perpetrator to create an email that will be too enticing (or scary) not to open.  That’s especially true if the perpetrator does some research about his marks before going on the attack.

The IRS notes that there was a significant increase in data thefts from preparer’s offices this year. As the release notes:

This filing season, the Internal Revenue Service has seen a steep upswing in the number of reported thefts of taxpayer data from tax practitioner offices. Seventy-five firms reported taxpayer data thefts in January and February, nearly a 60 percent increase from the same time last year. Much of this increase follows one scam, the erroneous refund scheme, that affected thousands of taxpayers and numerous practitioners earlier this filing season.

It may take a while before a firm becomes aware their systems have been compromised, since the attackers most often wish to not simply grab the data, but also use the firm’s systems to file fraudulent returns.  By doing so, especially if the attackers files fake returns using the firm’s clients’ data, the fraudulent returns are more likely to escape detection by the taxing authorities.  For this reason, they will take care to try to avoid detection as long as possible.

To help professionals catch such infiltrations earlier, the new release provides the following list of indicators that may mean a firm’s systems have been compromised:

  • Client e-filed returns begin to reject because returns with their Social Security numbers were already filed;
  • The number of returns filed with tax practitioner’s Electronic Filing Identification Number (EFIN) exceeds number of clients;
  • Clients who haven’t filed tax returns begin to receive authentication letters (5071C, 4883C, 5747C) from the IRS;
  • Network computers running slower than normal;
  • Computer cursors moving or changing numbers without touching the keyboard;
  • Network computers locking out tax practitioners.

Of course, many of those indicators may have causes other than the compromise of the firm’s network and systems.  However, if the firm is experiencing a number of these conditions, that would certainly raise warning flags.

The news release ends with the following list of security steps the IRS suggests professionals implement:

  • Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider or cloud storage provider. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates contact via email.
  • Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
  • Review internal controls:
  • Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
  • Use strong and unique passwords of 10 or more mixed characters, password protect all wireless devices, use a phrase or words that are easily remembered and change passwords periodically.
  • Encrypt all sensitive files/emails and use strong password protections.
  • Back up sensitive data to a safe and secure external source not connected fulltime to a network.
  • Wipe clean or destroy old computer hard drives that contain sensitive data.
  • Limit access to taxpayer data to individuals who need to know.
  • Check IRS e-Services account weekly for number of returns filed with EFIN.
  • Those who experience a security incident or a breach resulting in data disclosure should report the incident to the appropriate IRS Stakeholder Liaison.