Tax identity thieves apparently are paying close attention to official security moves that the Internal Revenue Service is making and using that information to create new schemes.
The latest effort by crooks to steal taxpayer personal data comes in the form of a new phishing scam designed to steal tax professionals' passwords and data.
e-Services is hook for latest ID theft effort: In an email alert sent this (Oct. 11) afternoon to tax pros, the IRS warned that this latest scheme tries to trick them into signing a new e-Services user agreement.
The phishing email claims to be from "e-Services Registration" and uses "Important Update about Your e-Services Account" in the subject line.
The fake email states, in part, "We are rolling out a new user agreement and all registered users must accept its revised terms to have access to e-Services and its products."
The scam message asks tax pros to review and accept the agreement. However, tax preparers who follow the phishers' instructions end up going to a fake site instead.
Real IRS e-Services changes on the way: This phishing scam comes just as the IRS is about to tighten its online authentication procedures.
Later this month, says the IRS, its e-Services will move to Secure Access authentication, which employs two-factor protections. Cybercriminals likely will make more last-ditch efforts to compromise tax professionals and their valuable client data before the security system transition is complete.
Remember, notes the IRS, identity theft schemes over the past few years have become more sophisticated and adaptive, like the changes made this summer to the massive fake IRS agent telephone tax scam.
Everyone — tax professionals and all us individual taxpayers — should be cautious when we receive any tax or financial-related unsolicited emails.
Take scam precautions: If you haven't yet received the phishing email, the standard security recommendations from the IRS and its Security Summit partners apply to this situation. They include:
- Be leery of any email seeking confidential data.
- Never, ever, ever open a link or an attachment from an unsolicited email. Legitimate software providers and the IRS do not embed links into emails asking tax pros to validate passwords.
- Make sure that every member of your tax and/or accounting office knows these rules in order to protect not only your clients' data, but also your tax business.
- Alert the IRS of the phishing attempt by sending a copy of it to email@example.com.
If, however, you have clicked on this link, the IRS suggests you perform a deep scan with your security software, contact your office's IT/cybersecurity personnel and get in touch with the IRS e-Help Desk.
You also can read more about what the IRS is doing to protect accounts with Secure Access authentication at the agency's e-Services landing page on IRS.gov.
You also might find these items of interest:
- IRS warns of four hot summer tax scams
- Tax phishing email from 'IRS Commissioner Mr. John Koskinen' promises $22.5 million
- Don't fall for tax ID theft phishing scam from crooks impersonating tax software companies