Phishing attacks on tax professionals are soaring. Tax professionals across the United States have been extensively targeted by cybercriminals this tax season who fool them into disclosing sensitive information such as login credentials and tax information.
The IRS has received 177 reports from tax professionals that have fallen for the scams this year and have disclosed sensitive information, although the victim count is likely to be much higher since not all phishing attacks are reported. Currently, the IRS is receiving between three and five new reports of successful phishing scams each week.
Many of the victims have reported large data losses as a result of the phishing scams. Tax information is used by cybercriminals to file fraudulent tax returns in the victims’ names. The data can also be used for identity theft.
The IRS says tax professionals are being extensively targeted by highly organized criminal gangs in the United States, as well as international crime rings. The IRS points out that the criminals conducting phishing attacks on tax professionals “are well funded, knowledgeable and creative.”
Targets are researched and information is often included in the emails that is relevant to the recipient. The name and address of the target are often used in the emails and the requests are highly credible. Emails may request data or provide a hyperlink for the recipient to click. Clicking the link results in malware being downloaded that gives the attacker access to the computer. Keyloggers are often downloaded that record and transmit passwords.
The Anti Phishing Working Group tracked 1.2 million unique phishing attacks last year, representing a 65% rise from 2015. Those scams often involve millions of emails. Currently, APWG is tracking an average of 92,564 unique phishing attacks each month.
Phishing attacks on tax professionals can be highly sophisticated, but in the majority of cases it is possible to block attacks by employing basic security measures. Unfortunately, many organizations overlook these steps.
The IRS is working closely with the tax industry and state tax agencies as the ‘Security Summit’. The Security Summit has recently launched a new campaign to help tackle the problem of phishing by raising awareness of the threat via a new “Don’t Take the Bait” campaign.
Over the next 10 weeks, the Security Summit will send weekly emails to raise awareness of the different types of phishing scams and other threats. The Security Summit has kicked off the campaign with spear phishing, which will be followed by education efforts to raise awareness of CEO fraud/BEC scams, ransomware attacks, remote account takeovers, EFIN thefts and business identity theft.
Blocking phishing attacks on tax professionals requires layered defenses, one of the most important being the use of software solutions to prevent phishing emails from being delivered to end users’ inboxes. SpamTitan blocks more than 99.9% of email spam and keeps inboxes free from malicious messages. If emails are not delivered, employees will not be tested.
Even with software solutions in place it is important for all employees to be aware of the threat from phishing. Security training should be provided to teach employees how to recognize the tell-tale signs of phishing emails and organizations should try to develop a culture of security awareness.
IRS Commissioner John Koskinen said “Doing nothing or making a minimal effort is no longer an option. Anyone who handles taxpayer information has a legal responsibility to protect it.”
The IRS recommends several measures to reduce risk:
- Educate all employees on the risk from spear phishing and phishing in general
- Ensure strong passwords are used
- Always question emails – Never take them at face value
- Never click a link without first checking the destination URL – Hover the mouse arrow over a masked link to find the true URL
- Use two-factor authentication for all email requests to send sensitive data – Confirm with the sender via the telephone
- Use security software to block phishing emails and malware and ensure the software is updated automatically
- Use the security settings in tax preparation software
- Report suspicious emails to the IRS