IRS Issues Updated Security Warnings to Tax Professionals

In IRS News Release 2022-143,[1] the IRS has warned tax professionals about evolving scams that seek to obtain taxpayer information from the professionals’ networks.  And this is important because, as the news release notes, “[f]or tax professionals, securing their network to protect taxpayer data is their responsibility as a tax preparer.”[2]

The Potential Client Email/SMS Message Scams

The IRS begins by warning tax advisers of scams that start with emails from individuals claiming to be potential clients sent by email or SMS messages:

The Security Summit partners continue to see instances where tax professionals have been vulnerable to identity theft phishing emails that pose as potential clients. The criminals then trick practitioners into opening email links or attachments that infect computer systems with the potential to steal client information.[3]

The release first gives the broad definition of phishing:

Phishing emails or SMS/texts (known as "smishing") attempt to trick the recipient into disclosing personal information such as passwords, bank account numbers, credit card numbers or Social Security numbers. Tax pros are a common target.

Scams may differ in themes, but they generally have two traits:

  • They appear to come from a known or trusted source, such as a colleague, bank, credit card company, cloud storage provider, tax software provider or even the IRS and other government agencies.

  • They create a false narrative, often with an urgent tone, to trick the receiver into opening a link or attachment.[4]

The release then discusses targeted phishing campaigns:

A specific kind of phishing email is called spear phishing. Rather than the scattershot nature of general phishing emails, scammers take time to identify their victim and craft a more enticing phishing email known as a lure. Scammers often use spear phishing to target tax professionals.[5]

The release finally describes the “new client” spear-phishing email attacks:

In a reoccurring and very successful scam, criminals posed as potential clients, exchanging several emails with tax professionals before following up with an attachment that they claimed was their tax information. This scam gained energy as many tax professionals worked remotely and communicated with clients over email versus in-person or over the telephone because of the pandemic.

Once the tax pro clicks on the embedded URL and/or opens the attachment, malware secretly downloads onto their computers, giving thieves access to passwords to client accounts or remote access to the computers themselves.

Thieves then use this malware known as a remote access trojan (RAT) to take over the tax professional’s office computer systems, identify pending tax returns, complete them and e-file them, changing only the bank account information to steal the refund.[6]

The release also warns that similar spear phishing scams can be used to install ransomware onto the networks of tax professionals:

In the past, criminals have used ransomware attacks to shut down a variety of companies. Criminals can use similar, smaller scale tactics against tax pros. When the unsuspecting tax professional opens a link or attachment, malware attacks the tax pro’s computer system to encrypt files and the thieves hold the data for ransom.[7]

Using Multi-Factor Authentication for Cloud-Based Systems

Tax professionals are increasingly using cloud-based systems as part of their practices—including some professionals who might, if you asked them, would initially believe they do not use any such systems.

Examples of cloud-based systems that tax advisers might initially forget are truly cloud-based systems:

  • Electronic filing systems for most of the major tax software vendors – even if the firm is using tax software installed on their own network, the electronic filing interfaces invariably upload the returns to systems run by the vendor which then submit the returns to the IRS. Since this is a third-party vendor obtaining data from the firm via the internet, this is a cloud based service (and likely one of the first most firms used)

  • Email systems – Many organizations, even very large ones, outsource email systems to third parties such as Microsoft or Google, especially as users prefer accessing email via web browsers.

Cloud based systems do have some significant security advantages that shouldn’t be ignored. Microsoft and Google have large teams of security professionals devoted to managing the security of these systems—even the largest businesses won’t be able to bring similar resources to bear on securing a system they elect to run in-house.

But the news release notes that these systems do come with their own security concerns that the tax adviser will need to manage:

The Summit also warns tax professionals using cloud-based systems to store and prepare tax returns and information to make sure they use multi-factor authentication in light of recent attacks. Specifically, the Summit partners urge people using cloud-based platforms to use multi-factor options like phone, text or tokens. This can avoid potential vulnerabilities with authentication done just through email, which is easier for identity thieves to access.[8]

The news release makes the case why multi-factor authentication is important to reduce the advisers’ exposure to such unauthorized account access to cloud systems:

These cloud-based accounts are more vulnerable when tax pros do not use strong multi-factor authentication to validate who is using the platform. Summit partners urge using authentication methods besides email, which can be easier for thieves to access and allow entry into tax professional accounts. Using text, phone calls or tokens are safer options.

These scams highlight the importance of the basic security steps recommended by the Security Summit to protect data:

  • Using the two-factor (2FA) or the multi-factor authentication (MFA) option offered by tax preparation providers or storage providers would protect client accounts even if passwords were inadvertently disclosed.

  • Keeping anti-virus software automatically updated also helps prevent scams that target software vulnerabilities.

  • Using drive encryption and regularly backing up files helps stop theft and ransomware attacks.[9]

[1] “Security Summit warns tax pros of evolving email and cloud-based schemes to steal taxpayer data,” IRS News Release IR-2022-143, July 26, 2022, https://www.irs.gov/newsroom/security-summit-warns-tax-pros-of-evolving-email-and-cloud-based-schemes-to-steal-taxpayer-data (retrieved July 31, 2022)

[2] “Security Summit warns tax pros of evolving email and cloud-based schemes to steal taxpayer data,” IRS News Release IR-2022-143, July 26, 2022

[3] “Security Summit warns tax pros of evolving email and cloud-based schemes to steal taxpayer data,” IRS News Release IR-2022-143, July 26, 2022

[4] “Security Summit warns tax pros of evolving email and cloud-based schemes to steal taxpayer data,” IRS News Release IR-2022-143, July 26, 2022

[5] “Security Summit warns tax pros of evolving email and cloud-based schemes to steal taxpayer data,” IRS News Release IR-2022-143, July 26, 2022

[6] “Security Summit warns tax pros of evolving email and cloud-based schemes to steal taxpayer data,” IRS News Release IR-2022-143, July 26, 2022

[7] “Security Summit warns tax pros of evolving email and cloud-based schemes to steal taxpayer data,” IRS News Release IR-2022-143, July 26, 2022

[8] P July 26, 2022

[9] “Security Summit warns tax pros of evolving email and cloud-based schemes to steal taxpayer data,” IRS News Release IR-2022-143, July 26, 2022