Is your tax preparer savvy enough to spot a scam?
He or she might be a whiz with deductions and helping you avoid the Alternative Minimum Tax. Fighting an audit might be her strength, or maybe he’s an expert at tax savings for small business.
But that doesn’t mean your preparer won’t fall victim to a scam perpetrated by fraudsters who are trying to steal taxpayers’ personal information.
It’s a real problem. According to IRS, there were 177 tax professionals or firms who reported data thefts of thousands of people from January through May. And each week, the agency receives three to five new data theft reports from tax preparers, the IRS said.
The agency is trying to help.
As part of a summer-long education campaign, the IRS’ “Don’t Take the Bait” program covers the latest tax-related scams.
The IRS is warning tax professionals to watch for so-called spear phishing emails.
“Spear phishing emails, often tailored to individual practitioners, result in stolen taxpayer data and fraudulent tax returns filed in the names of individual and business clients,” the IRS said.
It can take years to clear up the mess if you’re a victim.
In one version of the scam, the sender impersonates the IRS, and “preparers are warned that they must immediately update their account information or suffer some consequence.”
The email contains a link that goes to a website that’s been disguised by the thieves to look like the login page for IRS e-Services.
Once the scammers have access to the preparer’s login and password, they can go to town.
Other emails impersonate the makers of private-sector tax software programs, and they advise the tax preparer that it’s time to update their software for the upcoming tax season. And this is the time of year when many of these programs indeed offer updates, so now is when tax pros may be most vulnerable.
In others attempts, the scammer impersonates a prospective client. The IRS offered an example of an email that was sent to a tax preparer earlier this year.
The subject line said “Tax return.”
“The email is conversational but ungrammatical and oddly constructed: ‘hope your (sic) doing good (sic) and actively involved in the tax filing season,'” the IRS said of the email. “This is potentially a sign that English is a second language.”
The IRS notes the hyperlink uses a “tiny” URL, which is used to mask the true destination of the link.
In another version of the email scam, a prospective client tells the tax pro to open an attachment to see the information needed to prepare the sender’s tax return.
“However, the attachment in reality downloads malware that tracks each keystroke made by the tax professional so that the criminal can steal passwords and sensitive data,” the IRS said.
Scammers have also hacked into email accounts of tax preparers and taxpayers alike.
“Noticing that the individuals had been in email contact with tax preparers, the criminals used the individual’s email address to send a note to their preparer asking that the direct deposit refund account number be changed,” the IRS said.
If the tax preparer falls for it, your refund will end up in the hands of the scammer.
WHAT TO DO?
The IRS offers tax preparers some fine advice on how to protect client information. We share those tips here in their entirety:
1. Educate all employees about phishing in general and spear phishing in particular.
2. Use strong, unique passwords. Better yet, use a phrase instead of a word. Use different passwords for each account. Use a mix of letters, numbers and special characters.
3. Never take an email from a familiar source at face value; example: an email from “IRS e-Services.” If it asks you to open a link or attachment, or includes a threat to close your account, think twice. Visit the e-Services website for confirmation.
4. If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it’s not a URL you recognize or if it’s an abbreviated URL, don’t open it.
5. Consider a verbal confirmation by phone if you receive an email from a new client sending you tax information or a client requesting last-minute changes to their refund destination.
6. Use security software to help defend against malware, viruses and known phishing sites and update the software automatically.
7. Use the security options that come with your tax preparation software.
8. Send suspicious tax-related phishing emails to firstname.lastname@example.org.
So what should you do as a client?
Talk to your tax preparer and find out how your personal information is protected.
Ask if the pro has followed the IRS’ “Don’t Take the Bait” campaign,and make sure they’re savvy about these scams.
If they don’t show interest or know-how when it comes to cyber attacks, consider a new tax preparer.
And tax preparers, please be proactive and take the IRS’ advice. Then share the information with everyone who works in your office.
Thanks for keeping your clients’ information safe.