With the arrival of tax season, the IRS has sent out a dire notice to tax professionals warning them of a new wave of digital scams involving people trying to steal Electronic Filing Identification Numbers (EFINs).
Agency officials said they have seen a wave of fake emails with the subject line, “Verifying your EFIN before e-filing,” that purport to come from “IRS Tax E-Filing.” The IRS said tax professionals have become “prime targets” for cyberattackers looking for information that would make it easy to steal identities and file falsified tax returns for refunds.
“Phishing scams are the most common tool used by identity thieves to trick tax professionals into disclosing sensitive information, and we often see increased activity during filing season,” said IRS Commissioner Chuck Rettig. “Tax professionals must remain vigilant. The scammers are very active and very creative.”
SEE: Identity theft protection policy (TechRepublic Premium)
The IRS shared a copy of the emails that tax professionals are seeing, noting that they insidiously pretend to be from IRS officials seeking to protect them from “unauthorized/fraudulent activities.”
The email asks that tax preparers send over “a current PDF copy or image of your EFIN acceptance letter (5880C Letter dated within the last 12 months) or a copy of your IRS EFIN Application Summary,” as well as photos of the front and back of a driver’s license “in order to complete the verification process.”
The agency created an email address—email@example.com—and said those who receive these kinds of scam emails should contact the Treasury Inspector General for Tax Administration. The warning acknowledges the difficulties of emails like these because of the scary-sounding consequences of not sending over EFINs, but said the end goal is for tax professionals to click links or download documents that could contain malware.
In some instances seen by the IRS, the scammers pretend to be customers in search of help, sending over malware-infected email attachments that purport to be necessary tax information. A number of instances have also involved scammers sending over keystroke trackers or ransomware.
Cybersecurity experts highlighted that most attacks seen over the past few years were aimed at consumers but said that it was becoming increasingly common for attackers to move past average people and aim for targets with more data.
“By targeting tax firms, an attacker could gain access to highly sensitive tax data such as Social Security numbers and bank account information for that firm’s entire customer base. People access their work email on a smartphone or tablet just as much as they do on a computer. Attackers know this and are creating phishing campaigns like this to take advantage of the mobile interface that makes it hard to spot a malicious message,” said Hank Schless, senior manager of security solutions at Lookout.
“Unless you tap into the sender name, mobile email clients only display the sender name and not the reply-to address social engineering attacks are more difficult to spot on mobile. They’re also easier to deliver, as there are countless ways to send messages on a mobile device.”
Schless added that Lookout’s data shows that about 15% of financial services employees encountered a mobile phishing attempt each quarter in 2020.
As more information becomes widely available on the internet, there has been a spate of attackers filing false tax refunds or documents for government loans, especially in the last year as state and federal systems have had to contend with managing millions more requests in shorter time frames.
Cyberattackers across the world were able to steal billions in unemployment insurance and emergency government loans last year as the US government tried to keep the economy afloat with direct payments or PPP loans.
“Identity theft is the biggest concern with filing taxes. This means that someone files taxes on your behalf and receives your tax refund. Your claim would be rejected leaving you to contend with proving your identity to the IRS and hoping to get your refund someone else already collected,” said Chris Morales, head of security analytics at Vectra.
“Normally the recommendation is to not share personal information or sensitive data like Social Security numbers, however, because of major hacks we have seen in the past, this information may well already be on the Dark Web for sale to anyone who wants it.”
Bob Rudis, chief data scientist at Rapid7, said attackers “use a sense of urgency to coerce us into ignoring our usual defenses and if they succeed, the price is often our valuable personal, health, or financial information.”
“This is an annual hot-spot in the calendar in the US for these types of scams and that alone should be a call to increased scrutiny of all inbound communications. The pandemic and new stimulus affordances to at-risk Americans has placed an increased burden on the need to file early this year,” Rudis added.
James McQuiggan, security awareness advocate at cybersecurity firm KnowBe4, noted that cybercriminals have a tendency to tailor attacks to the season, whether it be Christmas, Valentine’s Day or tax season.
But the tax scams were particularly dangerous because of the kind of information tax professionals naturally have access to. All cybercriminals have to do is provide a different mailing address or account numbers in an attempt to pocket the tax return funds, he added.
“Going after Social Security numbers, names, addresses, emails, and of course, all the income and deduction data can provide information for the cybercriminal to attempt to file the taxes themselves,” McQuiggan said.
Most cybersecurity experts reiterated the same advice given to average tax filers, namely that the IRS will never just email you or call you asking for more information.
Tax filers and professionals should always go through government sites directly and should develop relationships with government agencies that require a unique password and multifactor authentication, according to Tom Pendergast, chief learning officer at MediaPro.
Schless urged tax preparers to train employees on this exact issue and do security test runs to see how offices would respond to these kinds of attacks.
As always, basic advice like checking reply-to addresses is always necessary and any messages with threatening language related to time-sensitive information should be red-flagged.
“These scams use a multitude of scenarios that individuals and organizations face each year, as they work through the often confusing, stressful, and frustrating task of figuring out how much they will owe or will get refunded, by the government. This stress and confusion only serve to make the scammers’ job easier,” said Erich Kron, security awareness advocate at KnowBe4.
“Tax scams are expected during the first quarter of each year. They are as inevitable as paying taxes.”