Tax Pros Got Wake-Up Call from Phishing Scammers
The latest phishing attack aimed at income tax professionals is proof positive that tax offices can’t let their guard down just because tax season is over.
This new assault mimics or “spoofs” an email from a legitimate state taxing agency or a tax professional organization.
The bogus email contains links that take the unwitting victim to what appears to be a legitimate site of the agency or professional group. But it is in fact the scammer’s page and the victims will be coaxed into divulging their user names, passwords, or other professional information.
Jerry Sparkman, director of Informational Technology at the National Association of Tax Preparers (NATP), says his organization was spoofed by phishing emails starting in early 2017.
“We believe the scammers have identified tax professionals as easier high value targets than most large service providers because of the depth of client information a tax professional has on file,” Sparkman told Taxing Subjects. “We believe the older phishing tactic has been re-purposed for use on tax pros by spoofing branding of organizations that tax professionals trust and recognize like NATP.”
Tips for Pros
Sparkman says the biggest key to prevention is awareness. The data that tax professionals possess is highly valuable to hackers and scammers. Additionally, the actions we take online are seldom performed in a vacuum.
In addition, cybercriminals, Sparkman stresses, are extremely flexible. “The tactics employed by malicious scammers will continue to evolve so there is really no easy magic fix or any technical solution to fit all potential situations. As we identify a new scam, the scammers move on to a new tactic in a day or two. The key is to remain aware and remember that tax professionals are heavily targeted by scammers; it could happen to you.”
As IT chief for the NATP, Sparkman has some additional recommendations for tax pros:
- Understand the anatomy of a URL
- Phishing scams are most easily exposed by recognizing a false domain name in a link or address bar
- For example: when clicking a link to Dropbox or Google the domain part of the URL should be dropbox.com or google.com respectively
- Call or get confirmation via another channel
- If you get an email call to confirm before taking action
- Encrypt sensitive information
- Attend training and share experiences of online fraud
- Use Multi Factor Authentication
- Phishing scams are most easily exposed by recognizing a false domain name in a link or address bar
To help distinguish an email from the real organization from a spoofed email, Sparkman says the NATP includes ways that the recipients can authenticate that the message was meant for them and is actually from the organization. “Whenever possible, we include some unique information that only NATP knows about you to assist in authenticating that it is legitimate and safe communication. As a member, look for those pieces of content in the email that help to confirm we are us, look for pieces of information that only the real NATP would know about you,” Sparkman added.
But above all, tax professionals need to remain cautious. Sparkman says even authentication and other email countermeasures can’t guarantee that your inbox will remain phishing-free. He says attack attempts on tax pros have increased significantly over the past two years – and it’s only going to get worse.
And be warned: Sparkman says now there’s a new twist that injects the scammer himself into the process. “We would like to let everyone know that several of the attacks we have seen include a malicious actor on the other end of the email chain responding back to the potential victim, sometimes from compromised accounts of people the potential victim knows.”
It’s likely, he says, that the next new development will be to combine a spear phishing attack targeting a specific tax pro or tax office with spoofing of a trusted organization like NATP. Sparkman warns the scammer will be on the other end, corresponding in real time, pretending to be customer service or a CPE provider of the trusted organization.
Here, too, the best defense is to call the organization, using a phone number on the group’s legitimate website. “Online scammers will typically balk at any suggestion to accept a phone call to validate their authenticity,” Sparkman says.
The Big Picture
Drake and the NATP are two of the select tax industry partners who have joined the Security Summit, a tax security task force assembled in 2015 by the IRS to combat identity theft and tax return refund fraud. Sparkman sees the Security Summit’s creation of an identity theft/tax refund fraud Information Sharing and Analysis Center (ISAC) as a major achievement and a real advancement for the tax industry.
“To have hundreds of tax specific public and private sector organizations working together to disseminate information about cyber-attacks is critical to successfully combating the malicious actors that will go to any lengths to steal taxpayer information,” Sparkman said. “We appreciate Drake’s participation in the battle and will continue supporting the efforts of the Security Summit and the ISAC.”
Sparkman said the Security Summit has been beneficial, but will be critically important in constructing a safer future for the next generation of tax pros and taxpayers alike.
Additional Resources
The National Association of Tax Preparers encourages all tax pros to keep up-to-date on cybersecurity. The NATP has four free-to-the-public webinar videos available that the NATP, IRS and FTC presented, providing useful information on cybersecurity. You can find those resources at: NATPTax.com/Pages/NATP-Cyber-Protection-Resources.aspx