In the 1960s, Avis Rent-a-Car used “We Try Harder,” as its company motto. Now, 50 years later, Avis has dropped the phrase from its company lexicon.

Unfortunately, it seems identity thieves and hackers have resurrected the phrase as inspiration for their crimes. Cybercriminals have advanced from merely stealing data from tax professionals to actively taking over the accounts they use to e-file income tax returns.

Account takeovers occur when a thief manages to steal or guess the username and password of a tax professional, enabling access of their computers or their online accounts. With these credentials, thieves can, for example, access a tax professional’s IRS e-Services account to steal their Electronic Filing Identification Number (EFIN) or access the pro’s software account to obtain critical taxpayer information.

Account takeovers are becoming more common within the tax industry, but other groups are affected, too. This comes from the annual identity theft report produced by Javelin Strategy and Research. This year, Javelin reported a surge in account takeover incidents nationwide after years of decline. Most of these incidents involved financial accounts. Javelin noted a 31 percent increase in the number of incidents between 2015 and 2016.

Here’s how account takeovers work: Thieves do their homework, perusing web sites and social media for clues about tax preparer’s email addresses and business activities. Then, they pose as a familiar organization - for example, IRS e-Services or a private-sector tax pro software provider - by sending a spear phishing email that appears similar to the IRS or the software provider. They may even pose as another tax professional, a familiar bank or, increasingly, a cloud-based storage provider.

Spear phishing emails use links or an attachment that may load malware onto computers to capture keystrokes, eventually giving the thieves access to user credentials when the real users log into their accounts. The thieves may pose as a potential client, emailing an attachment that claims to contain tax information but is really infected with keystroke logging malware.

Here’s an example of a spear phishing email that tries to masquerade as a legitimate message from the IRS’ e-Services division:

As with most phishing e-mails, this example hints it might not be legitimate by the details in the message itself. The message misspells “eService;” the IRS uses the term e-Services (with a hyphen). Bad grammar (such as “you will loose your account) points to a writer with a poor command of the English language. Also, the message contains short URLs in their links, a sign that the real location of the linked material is being hidden.

The big giveaway here: IRS e-Services does not send emails except through its own Quick Alerts system.

Tax pros who get an email like this should pay special attention to the links in the email. Tax pros can hover their cursors over a suspicious link to see the destination, which may be a URL like: bit.ly; ow.ly; or tinyurl.com, as opposed to an actual IRS.gov URL. The suspicious link takes the practitioner to a website designed to appear as the actual e-Services login page. Here’s one example of a fake web page:

If a tax pro gives his credentials by logging in to a site like this, the cybercriminals can immediately use them to access accounts and steal EFINs. These in turn can be used either to e-file a fraudulent income tax returns, or to sell to another identity thief. But it doesn’t stop there. Once they have the tax professional’s login and password, the identity thief may be able to use a Power of Attorney and a Centralized Authorization File (CAF), allowing them to access clients’ transcripts.

Practitioners who reuse usernames and passwords across multiple online accounts may find that, if they are compromised, the hackers have accessed those other online accounts as well.

Increasing awareness about account takeovers is part of the “Don’t Take the Bait” campaign aimed at tax professionals. This is the second part of a special 10-week series aimed at increasing security awareness in the tax community. It is part of the Protect Your Clients; Protect Yourself effort. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to learn to protect themselves from account takeovers.

Protect Your Data

Want to know more about how to protect your login and password information? Click here.