IR-2020-178, August 11, 2020

WASHINGTON — The Internal Revenue Service and the Security Summit partners today warned tax professionals to be alert to new phishing scams that try to take advantage of COVID-19, Economic Impact Payments and increased teleworking by practitioners.

The IRS, state tax agencies and the nation’s tax industry urged tax firms to review and heighten their data protection plans this summer as cybercriminals step up efforts to steal client tax information. Crooks are targeting tax professionals as well as taxpayers.

Avoiding phishing emails is the fourth in a five-part Security Summit series called Working Virtually: Protecting Tax Data at Home and at Work. The Security Summit initiative by the IRS, state tax agencies and private-sector tax industry spotlights basic security steps for all practitioners, but especially those working remotely in response to COVID-19.

“The coronavirus has created new opportunities for cybercriminals to use email to try stealing sensitive information,” said IRS Commissioner Chuck Rettig. “The vast majority of data thefts start with a phishing email trick. Identity thieves pose as trusted sources – a client, your software provider or even the IRS – to lure you into clicking on a link or attachment. Remember, don’t take the bait. Learn to recognize and avoid phishing scams.”

Phishing emails generally have an urgent message, such as your account password expired. They direct you to an official-looking link or attachment. The link may take you to a fake site made to appear like a trusted source and request your username and password. Or, the attachment may contain malware, which secretly downloads malware that tracks keystrokes and allows thieves to eventually steal all the tax pro’s passwords.

This year, IRS identified a highly sophisticated attack against tax firms where thieves gained remote access either through phishing or malware and were able to enter the cloud storage accounts that held client files. In one case, thieves spent 18 months quietly downloading and accessing taxpayer information before they were discovered.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning to all organizations to educate employees, especially those teleworking, about increased activity related to phishing scams.

These scams focused on COVID-19 fears by presenting themselves as providers of face masks or personally protective equipment in short supply. Thieves also used other tactics against taxpayers, impersonating the IRS and calling or emailing requests for bank account information to send the Economic Impact Payments.

Tax professionals should beware of emails from criminals posing as potential clients. As people practice social distancing these days, criminals may exploit this process to try to trick tax practitioners into opening links or attachments. The Security Summit continues to urge tax professionals to create “trusted customer” policies, and contact potential clients by phone or video conference.

Taxpayers and tax preparers can forward suspicious emails posing as the IRS to phishing@irs.gov.

Because phishing emails are so common and successful, Summit partners urge tax professionals to educate all office personnel about the dangers and risks of opening suspicious emails – especially during the COVID-19 period.

Additional resources

Tax professionals also can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data (PDF), and Small Business Information Security: The Fundamentals (PDF) by the National Institute of Standards and Technology.

Publication 5293, Data Security Resource Guide for Tax Professionals (PDF), provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media or visit Identity Theft Central at IRS.gov/identitytheft. https://www.irs.gov/newsroom/working-virtually-avoid-phishing-scams-part-4-of-security-summit-tips-for-tax-professionals