Don’t take the bait, step 1: avoid spear phishing emails - Fox29 WFLX TV, West Palm Beach, FL-news & weather

Don’t take the bait, step 1: avoid spear phishing emails

© iStockphoto.com / Yong Hian Lim © iStockphoto.com / Yong Hian Lim

From IRS.gov

WASHINGTON — The IRS, state tax agencies and the tax industry today warned tax professionals to beware of spear phishing emails, a common tactic used by cybercriminals to target practitioners.

Spear phishing emails, often tailored to individual practitioners, result in stolen taxpayer data and fraudulent tax returns filed in the names of individual and business clients.

Information about spear phishing kicks off a new “Don’t Take the Bait” awareness campaign aimed at tax professionals. This is the first of a special 10-part series that will run each week through mid-September.

“We are seeing repeated instances of cybercriminals targeting tax professionals and obtaining sensitive client information that can be used to file fraudulent tax returns. Spear phishing emails are a common way to target tax professionals,” said IRS Commissioner John Koskinen. “We urge practitioners to review this information and take steps to protect themselves and their clients.”

The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to learn to recognize and avoid spear phishing emails. See Protect Your Clients; Protect Yourself for more information.

Phishing emails target a broad group of users in hopes of catching a few victims. Spear phishing emails pose as familiar entities, and the cybercriminals have done extensive research and homework in order to target a specific audience. Tax professionals and taxpayers are among the groups that regularly receive phishing emails.

The security software firm Trend Micro reports that 91 percent of all cyberattacks and resulting data breaches begin with a spear phishing email. The email, disguised as being from a trusted source, may seek to have victims voluntarily disclose sensitive information such as passwords. Or, it may encourage people to open a link or attachment that actually downloads malware onto the computer.

There are several other versions of spear phishing emails in which the criminal poses as a potential client. In one version, the prospective “client” directs the tax professional to open an attachment to see the 2016 tax information needed to prepare a return. However, the attachment in reality downloads malware that tracks each keystroke made by the tax professional so that the criminal can steal passwords and sensitive data.

Most spear phishing emails have a “call to action” as part of their tactics, an effort to encourage the receiver into opening a link or attachment. The example above asks the preparer to review their tax information and provide a cost estimate.

Other spear phishing emails impersonate the IRS, such as the IRS e-Services tools for tax professionals, or in some instances a private-sector tax software provider. In those examples, preparers are warned that they must immediately update their account information or suffer some consequence. The link may go to a website that has been disguised by the thieves to look like the login pages for IRS e-Services or a tax software provider.

Cybercriminals are endlessly creative. This year, some identity thieves hacked individuals’ emails accounts. Noticing that the individuals had been in email contact with tax preparers, the criminals used the individual’s email address to send a note to their preparer asking that the direct deposit refund account number be changed. The scam prompted an IRS alert to preparers about last-minute refund changes. See IR-2017-64.

Protecting Your Clients and Your Business from Spear Phishing

There is no one action to protect your clients or your business from spear phishing. It requires a series of defensive steps. Tax professionals should consider these basic steps:

Educate all employees about phishing in general and spear phishing in particular.

Use strong, unique passwords. Better yet, use a phrase instead of a word. Use different passwords for each account. Use a mix of letters, numbers and special characters.

Never take an email from a familiar source at face value; example: an email from “IRS e-Services.” If it asks you to open a link or attachment, or includes a threat to close your account, think twice. Visit the e-Services website for confirmation.

If an email contains a link, hover your cursor over the link to see the web address (URL) destination. If it’s not a URL you recognize or if it’s an abbreviated URL, don’t open it.

Consider a verbal confirmation by phone if you receive an email from a new client sending you tax information or a client requesting last-minute changes to their refund destination.

Use security software to help defend against malware, viruses and known phishing sites and update the software automatically.

Use the security options that come with your tax preparation software.

Send suspicious tax-related phishing emails to phishing@irs.gov.

Remember that all of the web page addresses for the official IRS website, IRS.gov, begin with http://www.irs.gov. Don' t be confused or misled by Internet sites that end in .com, .net, .org or other designations instead of .gov. The address of the official IRS governmental Web site is http://www.irs.gov/.

*DISCLAIMER*: The information contained in or provided through this site section is intended for general consumer understanding and education only and is not intended to be and is not a substitute for professional advice. Use of this site section and any information contained on or provided through this site section is at your own risk and any information contained on or provided through this site section is provided on an "as is" basis without any representations or warranties.
INFORMATIONAL DISCLAIMER The information contained on or provided through this site is intended for general consumer understanding and education only and is not intended to be and is not a substitute for professional financial or accounting advice. Always seek the advice of your accountant or other qualified personal finance advisor for answers to any related questions you may have. Use of this site and any information contained on or provided through this site is at your own risk and any information contained on or provided through this site is provided on an "as is" basis without any representations or warranties.
Powered by Frankly

1100 Banyan Blvd.
West Palm Beach, FL 33401

FCC Public File
EEO Report
Closed Captioning

All content © Copyright 2000 - 2017 Raycom Media. All Rights Reserved.
For more information on this site, please read our Privacy Policy, and Terms of Service, and Ad Choices.