Professional associations can be a valuable tool for tax professionals, providing industry updates, opportunities for networking and access to continuing education credits. Unfortunately, scammers are capitalizing on these relationships to gain access to taxpayer information. The Internal Revenue Service (IRS) and its state and industry Security Summit partners are warning tax professionals about a new scam involving phishing emails posing as accounting and professional associations.
The IRS has received reports from tax professionals who received fake emails from scammers who were trying to trick them into disclosing their email usernames and passwords. So far, the IRS says that tax professionals in Iowa, Illinois, New Jersey, North Carolina, and Canada (yes, Canada) have been targeted.
If you live outside of those states (and Canada), don’t let your guard down. Crooks can—and do—easily change their tactics. It’s not unlikely that this scam will make the rounds using other association names or making other adjustments.
As for the current scheme? Here’s what to look out for. According to the IRS, to date the scam involves an “awkwardly worded phishing email” that states:
We kindly request that you follow this link HERE and sign in with your email to view this information from (name of accounting association) to all active members. This announcement has been updated for your kind information through our secure information sharing portal which is linked to your email server.
The email is, of course, a phishing attempt. Your information can be captured and used to access your account, or you may be directed to a malware site. It’s similar to a scheme reported last year involving a phishing email scam impersonating tax-software providers and attempting to steal usernames and passwords from tax professionals.
If you receive a suspicious email from a professional association asking you to click on links or open attachments, use care. It’s best to go directly to those associations’ websites rather than open any links or attachments. Tried-and-true professional organizations include groups like National Association of Enrolled Agents (NAEA), American Institute of Certified Public Accountants (AICPA) and the American Bar Association (ABA) as well as their state and local affiliates. Also, be on guard for emails purporting to be from groups that use variations on established associations.
If you receive a suspicious email related to taxes or the IRS, or phishing attempts to gain access to practitioner databases, forward those emails to firstname.lastname@example.org. Remember: The IRS never initiates initial contact with a tax professional (or taxpayer) via email.
The Security Summit partners also urge practitioners to follow additional safeguards, including using strong passwords, encrypting sensitive files and emails, and limiting access to taxpayer data to individuals who need to know. Regularly back up sensitive data and wipe any old disks or drives before disposal. For more information about data security, including how to create a data security plan, check out IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology (both download as a PDF).