New Phishing Scam Taking Dead Aim at Tax Pros

It’s no secret that scammers continuously prey on innocent victims in an effort to steal their tax records. In many cases, they even commit identity theft by accessing their personal information. Scammers prey on anyone they can but often focus on the elderly, who can be more vulnerable to these types of attacks. Furthermore, scam artists are always looking for new ways to access their victims’ private information as they try to stay one step ahead of the IRS and other agencies trying to stop them. However, the IRS is now warning of a new kind of scam that perhaps no one would have ever seen coming.

Scamming Tax Professionals

Scammers are actually going after tax professionals with their latest phishing scam. According to the IRS, this email phishing scam attempts to fool tax professionals into believing they are working with their software providers via email. However, these emails are in reality a front to gain access to user names and passwords from tax professionals’ clients.

How Does it Work?

The IRS says the email comes with a subject line of “Software Support Update,” or “Important Software System Upgrade,” or something very similar. The email goes on to thank the tax professionals for trusting and allowing them to prepare their clients’ taxes and then asks them to validate their login credentials because of a recent update. When the information is entered, the email then sends the unsuspecting victim to a phishing site that steals the account login information.

Extremely Dangerous Scam

According to the IRS this new W-2 scam – called a business email compromise or BEC – is growing and is one of the most dangerous phishing email schemes currently being used. The IRS says it saw a sharp increase in the number of incidents and victims during the 2017 filing season. The agency says, “A business email compromise occurs when a cyber criminal is able to ‘spoof’ or impersonate a company or organization executive’s email address and target a payroll, financial or human resources employee with a request. For example, fraudsters will try to trick an employee to transfer funds into a specified account or request a list of all employees and their Forms W-2.”

Crippling Effects

Furthermore, according to IRS Commissioner John Koskinen, “These are incredibly tricky schemes that can be devastating to a tax professional or business.” This scam first started to appear during the 2016 filing season, and the IRS began to warn businesses that the scam had moved to tax administration.

The Number of Victims Is Increasing

After scammers used business email compromise tactics to ascertain W-2s, they immediately filed fraudulent tax returns that mirrored the actual income received by employees, thus, making the fraud harder to detect. The IRS reported that it saw the number of businesses, public schools, universities, tribal governments and non-profits victimized by the W-2 scam increase from 50 in 2016 to 200 in 2017. Overall, the IRS reports that the number of phishing scam attacks rose 65 percent in 2016 compared to 2015, to 1.2 million. In fact, there are more than 92,000 attacks of this kind every month

Steps to Fight Back

The IRS recommends that tax professionals take these important measures to fight these attacks:

• Always confirm any requests for W-2s, wire transfers or any sensitive data exchanges verbally, by calling previously used telephone numbers.
• If there is request to change the location for a vendor payment, always verify these requests and demand a secondary sign-off by company personnel.
• Train your employees about this scam, especially anyone with access to sensitive data, including W-2s, as well as those with authorization to make wire transfers.
• Set email policies to flag all email communications where the “reply” email address is different from the “from” email address shown.
• Use color-coding to differentiate virtual correspondences so emails from employee/external accounts are a different color from accounts belonging to employee/internal accounts.
• If a business email compromise incident occurs, always notify the IRS. You should also file a complaint with the FBI at the Internet Crime Complaint Center.

Always Practice Caution

As always, the IRS warns consumers, as well as tax professionals, to “never open links or attachments from suspicious emails.” However, the battle against cyber crime takes a complete effort by all parties involved, meaning brands and email marketers need to ensure their email security is sufficient to protect against impersonation attacks. To learn more about this scam and how to protect yourself, click here.