Tax Day is coming- be prepared. Whether you’ve already filed your taxes or plan to do so last minute, it’s time to be smart with your financial information.
The Internal Revenue Service, state tax agencies, and tax professionals continue to identify new phishing scams. Some find bad actors posing as potential clients or even the IRS to try and trick tax preparers into disclosing sensitive information.
In addition, tax returns continue to represent one of the most in-demand forms of cybercrime: in 2019, the IRS received thousands of reports of data breaches related to CPAs and tax firms, continuing a year-over-year trend of significant increases.
Hackers move fast, as well, often rushing to file fraudulent returns before legitimate taxpayers can do it themselves. This February, the IRS revealed details of some of the fake tax returns that had already been filed, containing accurate taxpayer names, addresses, Social Security numbers, and even bank account information for the victims.
Surprisingly, some of those illicit refunds were then deposited in the legitimate taxpayer’s bank accounts. Some criminals then doubled down on their ruse by posing as debt collectors and reaching out to consumers to notify them that the refunds had been sent in error. The victims were then urged to forward the money to the original hacker.
Since these fraudulent returns included the taxpayer’s correct information—all the way down to the right number of dependents—the IRS suspects that the scam originated in the offices of tax professionals. Many of these preparers are targeted with phishing scams that install malicious software onto desktops, laptops, networks, and servers. That malicious software in turn allows protected information to be compromised.
What can tax preparers and payers do to stay safe with Tax Day just a week away? The following strategies are recommended, all of which should be backed by the support and consultation of trusted IT and tax professionals:
- Looking to file electronically? Use a secure Internet connection.
Whatever you do, don’t file your tax return (or even work on it) while connected to public Wi-Fi at coffee shops, hotel business centers, airports, or other public places. Make sure any site you connect with has “https” in the URL, that any connection you use is password protected, and that you manually type out links to tax preparation software rather than following links from emails.
- Are you a CPA or other financial professional? Don’t communicate solely through email.
Whether it’s a potential or existing client, beware of conducting sensitive requests for duplicate W-2 copies, address changes, Social Security numbers, email addresses, or financial information through email. The recent spike in phishing scams (see below for sample emails) means no valuable data should be transmitted electronically when a phone call or in-person meeting will suffice.
- Mailing a hard copy of your tax return to the IRS? Don’t put it in an outgoing mailbox that can be accessed by someone else.
Instead, mail it directly from the post office. Also, never take pictures of sensitive tax information or store them on your mobile device or computer.
- Put proactive monitoring and maintenance provided by a trusted IT partner to work for your systems.
This can help defend against malware, viruses, and known phishing sites. These types of services will provide automatic security updates and software patches, so you don’t have to worry about evolving scams. In addition, they will keep up with new attempts to steal information and prevent bad actors from compromising your systems.
- Make sure your staff knows about phishing scams as the tax filing deadline looms.
Make sure everyone uses strong, unique passwords with two-factor authentication and password management where necessary. Never take an email from a familiar source at face value; for example, inspect anything from “IRS e-Services” closely. If it asks you to open a link or attachment, or includes a threat to close your account, think twice. NEVER click on any link or attachment included in an email that discusses tax information. Below are a few examples from security experts of common phishing schemes:
- “Have you finished filing your taxes? I want you to help us file our tax return this year as our previous CPA/account passed away. How much will this cost us? Hope to hear from you soon.”
- “Please kindly look into this issue, a friend of mine introduced you to me, regarding the job you did for him on his 2018 tax. I tried to reach you by phone earlier today but it was not connecting, attach is my information needed for my tax to be filed if you need any more details please feel free to contact me as soon as possible and also send me your direct telephone number.”
- “I got your details from the directory. I would like you to help me process my tax. Please get back to me ASAP so I can forward my details.”
The IRS also has received recent reports of cybercriminals posing as IRS e-Services, asking tax pros to sign into their accounts and providing a disguised link. The link, however, sends tax pros to an illegitimate site that steals their usernames and passwords.
Tax practitioners or taxpayers receiving emails from fraudsters posing as the IRS or tax software providers are recommended to go directly to IRS.gov and forward attempted phishing emails to firstname.lastname@example.org. Remember, the IRS does not send unsolicited emails and your tax preparer shouldn’t either!
With Tax Day weeks away and many filers preparing to finalize their personal returns for the 2019 tax year, opportunities for scams abound.