The IRS recently warned accountants and tax preparers about a new, two-phased phishing scam involving cybercriminals posing as potential clients. This new scam is especially deceiving as many of tax professionals are so inundated with client requests during tax season that they may let their guard down.
Here’s how it works. The first phishing email comes in the form of a need for service with a message along the lines of, “I need a tax preparer to file my taxes.” If you take the bait and answer back, a second email includes either an embedded web address or a PDF attachment with an embedded web address that supposedly contains the prospective client’s tax information. When you click on the link or download the attachment, your email address, password and other private information is then collected. Note that there are single-step versions of these emails as well, where the bad actor attaches the “tax information” in the first email.
While it may seem like an attempt that would be easily weeded out, think again. Often, these emails appear to come from a legitimate source—a well-known organization, friend or co-worker—because these accounts have also been victimized. In this example, it would appear to come from someone that is sincerely looking for assistance to have their tax return prepared.
This latest scam is just another step cybercriminals are taking to gain access to your firm’s and your client’s personal information so they can attempt to file and claim fraudulent tax returns.
How tax software providers are safeguarding against these threats
Thomson Reuters and other tax software providers are working in partnership with the IRS to safeguard accounting firms and their clients, particularly when it comes to new requirements and additional security measures that strengthen login credentials for all tax-related software. Here’s an overview of what’s required, and additional steps some software companies may be taking.
- Login requirements. The IRS requires that any tax-related software for professionals must have a login with certain password requirements, regardless of whether the software is accessed via desktop or the cloud.
- Password strength. As defined by the IRS, a strong password must now contain a minimum of eight characters with at least one uppercase letter, one lowercase letter, one number and one special character. The IRS requires that passwords expire after no more than 90 days.
- Timeout period. After 30 minutes of user inactivity, tax software application access is suspended and users are required to re-authenticate using their credentials. It’s important to note that although access is suspended, the operation of the software is not, so processes in the software will continue during the timeout period (if the software provider properly implements the timeout).
- Multi-factor authentication. It is strongly advised that firms employ multi-factor authentication with industry standard authentication factors for additional security, if available from the software provider. Thomson Reuters provides a multi-factor mobile app to make this protection readily available.
- Issuing License PINs. As part of ongoing efforts to increase security, some vendors, such as Thomson Reuters, issue every firm a License PIN which must be input before customers can download software licenses. It’s important to note that the default PINs should be updated immediately to add an extra layer of security.
The importance of staying informed
In addition to staying in contact with your tax software provider and keeping track of updates from the IRS, you should also consult with your legal and technology security advisors for regular guidance on data security practices and legal standards applicable to your practice.
While the IRS and tax software providers are taking steps to combat cyber-attacks, it’s imperative that you remain vigilant and stay informed. Your firm’s privacy and reputation are at stake.
For more information on the ins and outs of phishing, as well as advice on how to protect your firm’s sensitive information, check out Phishing schemes: An accelerating threat for accounting firms.