The Internal Revenue Service (IRS) and the Security Summit have launched an awareness series to help prevent tax professionals from falling victim to phishing attacks. ‘Don’t Take the Bait’ is part of the Protect Your Clients; Protect Yourself campaign, which highlights the importance of cybersecurity in the tax industry.
The series began on July 11 with Avoid Spear Phishing Emails, and will run weekly until September 12.
The IRS says that criminals are increasingly conducting phishing attacks to discover information that would be needed to file fraudulent tax returns. This means discovering passwords, stealing electronic filing identification numbers (EFINs) and centralized authorization file (CAF) numbers, or even taking remote control of victims’ computer systems.
Spear phishing – the practice of sending messages targeted at a specific person or organization – is prevalent in these types of campaigns. “We are seeing repeated instances of cyber criminals targeting tax professionals and obtaining sensitive client information that can be used to file fraudulent tax returns,” said IRS Commissioner John Koskinen.
“We urge practitioners to review this information and take steps to protect themselves and their clients.”
There has been a steady increase in the number of breaches related to tax return information in the past few years. Through May this year, 177 tax professionals or firms reported data thefts involving client information. A big contributor to this is the spate of Form W-2 scams that occurred during tax season. These forms are prized by criminals, because they contain all the information you need to file a tax return.
To mitigate the risk of phishing, the IRS recommends that organizations take the following steps:
- Educate employees about phishing in general and spear phishing in particular.
- Create strong, unique passwords, and use different passwords for each account.
- Hover your cursor over any links in unprompted emails to see the web address (URL) destination. If you don’t recognize the address, don’t click on it.
- Get verbal confirmation if you receive a suspicious request from a client (such as asking to change bank account information).
- Use security software to defend against malware, viruses, and known phishing sites.
Although such information is always helpful, organizations can’t pass it on to their staff and call it ‘job done’ for their cybersecurity strategy. For staff to discover how to mitigate the risk of phishing attacks – and for them to retain that information – you need to provide them with dedicated training.
Our Phishing Staff Awareness Course provides a detailed outline of phishing scams, helping to reduce the chance that an employee will hand over confidential information or inadvertently infect the organization’s systems. The course also helps employees identify phishing attacks, explains what happens when they fall victim, and shows them how they can mitigate the threat of an attack.