Phishing– sending scam emails – is still the most common way cybercriminals try to steal sensitive data. The IRS has issued some tips to help tax and other professionals from falling prey to such phishing expeditions.
In Tax Tip 2019-120, the IRS says that more than 90% of data thefts start from phishing operations, through which cybercriminals use phishing emails and malware to gain control of computer systems or to steal usernames and passwords.
The IRS identifies the following phishing tactics.
- Spear phishing. The objective of a spear phishing email is to pose as a trusted source and bait the recipient into opening an embedded link or an attachment. The email may make an urgent plea to the tax pro to update an account immediately. A link may seem to go to another trusted website, but it’s actually a website controlled by the thief.
- Keylogging. An attachment may contain malicious software called keylogging, which secretly infects a computer and provides the thief with the ability to see every keystroke. Thieves can then steal passwords to various accounts. The thief can even take remote control of computers, enabling them to steal taxpayer data.
- Pretending to be a client. Thieves sometimes pose as a prospective client and send an unsolicited email to their target. After an exchange of emails, the thief sends a follow-up email with an attachment. The thief claims it contains the tax information needed to prepare a return. Instead, it contains spyware that allows thieves to track each keystroke.
- Sending links. Thieves sometimes pose as tax software providers or data storage providers with emails containing links. These links go to web pages that mirror real sites. The thieves’ goal is to trick tax professionals into entering their usernames and passwords into these fake sites, which the crooks then steal.
- Ransomware. In this scam, the thief doesn’t steal the data, they encrypt it. Once they encrypt the data, thieves demand a ransom in return for the code to unencrypt the data. The FBI warns users not to pay the ransom because thieves often don’t provide the code.
The IRS argues that employers and employees be able to identify such scams, and that those “in the business world are only as safe as their least educated employee.
