For tax professionals everywhere, the move from physical paperwork to digital tax filing means that client privacy and cyber security are more important than ever. And while the Internal Revenue Service takes steps to protect your information from identity theft, that doesn't mean that thieves stop trying to steal sensitive information. Watch out for scams and schemes this tax season to keep your clients' information secure.
Email phishing scams from fraudulent clients
Tax year 2020 saw an increase in email phishing schemes aimed at tax professionals, attempting to gain access to personal information. Scammers first make contact by sending you an email that appears to come from a real client or colleague.
After you respond, the scammer sends a web address or file attachment that purportedly contains their tax info—but it’s actually malware that infects your system when you click the link or open the attachment. This can allow the scammer to steal your passwords, email addresses, and other private information that they can use to access your bank accounts or financial information.
From there, the malware can use your system to send fraudulent emails to other contacts in your address book—emails that seem like they're coming from you. Conversely, if one of your contacts is affected, you might receive the phishing email from them.
- Watch out for attachments sent from people you don’t know, or attachments from those you do know that are sent seemingly out of the blue.
- Use anti-virus software to check any attachments you receive via email before opening them, and talk to new prospects on the phone to get a better sense of whether they are a legitimate client or not.
Fraudulent emails from the “IRS”
In some cases, identity thieves send phishing emails that appear to be from the Internal Revenue Service or the IRS e-services; these even include the IRS logo to lend legitimacy to the fraud. However, the IRS does not contact you via email for issues involving your account or your clients' accounts.
If you click the link and fill out the form, the scammers can use the information to access your accounts and, potentially, steal more information or money.
- Watch out for emails with the subject line "Security Awareness for Tax Professionals" directing you to a fake e-services registration site via an embedded web link.
Fraudulent calls from your Electronic Return Originator
In addition to email phishing, some identity thieves are targeting tax professionals with voice phishing, or “vishing.” A common ploy is to pose as representatives from your electronic return originator, or ERO. The scammer may claim your software is corrupted or out of date, and then request remote access to your computer to update the software. Of course, they’ll actually use that remote access to take over your account and steal your information.
- Watch out for emails that your ERO sends apparently out of the blue, especially if they claim you’re facing a security risk, and do not grant anyone remote access to your computer.
- If you’re concerned, call your ERO to confirm your software is up-to-date and functional.
How to protect yourself and your clients
Scammers and hackers who target tax professions cook up new schemes all the time, but these best practices may help you avoid identity theft. In summary:
- Don’t open attachments or click web links from senders you don’t recognize. If colleagues send attachments seemingly out of the blue, give them a quick call to confirm the email is legitimate.
- Don’t fill out personal or financial information on forms you’ve accessed via a web link, even if the page looks authentic. Instead, visit the site directly—for example, go to IRS.gov, then search for the form you need.
- Forward any emails that appear to be from the IRS to firstname.lastname@example.org, then delete the email from your inbox and trash folder. The IRS does not contact you via email for issues involving your account.
- Don’t allow unknown parties remote access to your computer based on a phone call that seems to be from your ERO. Report fraudulent calls to the IRS stakeholder liaison contact for your area.
- Don’t access sensitive client or personal information over public Wi-Fi, like at the airport or a coffee bar, since your information may be intercepted.
For recent updates on the types of scams targeting taxpayers and tax professionals, visit the IRS page Tax Scams/Consumer Alerts.
Looking for expert tax help? Real experts can help, or even do your taxes for you with TurboTax Live. Get unlimited advice as you do your taxes, or have everything done for you—start to finish. Learn more about How TurboTax Live Works.