IRS Warns of Fake Tax Software Update SchemeAgency Continues to Battle Identity Theft Attempts
Just in time for the seasonal upgrading of tax software, the IRS is warning of phishing emails that try to trick tax professionals into downloading software updates, but in fact steer victims into divulging login credentials.
The warning comes during a 10-week IRS security education campaign called "Don't Take the Bait," which is designed to educate tax preparers on the efforts by cybercriminals to steal personal information, and, in some cases, refunds.
The IRS has seen the fake software update scheme before, and the agency warned of it a year ago. It revolves around bogus emails that purport to come from tax software developers.
"This sophisticated scam yet again displays cybercriminals' tax savvy and underscores the need for tax professionals to take strong security measures to protect their clients and protect their business," the IRS says.
The emails have the subject "Software Support Update" and emphasize the need for an important upgrade. But to receive the upgrade, the email asks the victim to revalidate their login credentials and shares a link to a bogus website that appears to be the software developer's portal.
"It thanks recipients for continuing to trust the software provider to serve their tax preparation needs and mimics the software providers' email templates," the IRS says.
Once the information has been collected, the attackers "use the stolen credentials to access the preparers' accounts and to steal client information," the IRS says.
In February, the agency warned of a similar phishing scheme in which recipients were falsely warned that their tax preparation software had been locked. In order to unlock the software, victims were advised to click and link and enter their account credentials (see IRS: New Email Phishing Combines W-2 Theft, Wire Fraud).
The IRS, and anyone who must file a tax return, are rich targets for fraudsters. This year, the agency has seen continued attempts to pilfer refunds or steal personal information.
Tax preparers are also being hit. Between January and May, the IRS says it received 177 reports from tax professionals or firms that had seen data stolen. The thefts affected thousands of people. On average, the agency receives three to five reports a week from tax preparers.
The IRS says that targeted information includes login credentials for tax software, Electronic Filing Identification Numbers (EFINs), Centralized Authorization File (CAF) numbers and Preparer Tax Identification Numbers (PTINs).
The IRS says that the increased push for taxpayers' personal information is the result of an effort to strengthen tax filing security and stop identify theft. "This is why tax professionals, who hold sensitive financial data, are critical targets," it says.
The IRS has been trying to fight fraud through education. The latest "Don't Take the Bait" campaign covers spear phishing, business ID theft, ransomware, business email compromise and remote network intrusions. The campaign is part of the Security Summit, an effort with states, tax preparation firms, payroll and tax financial product processors to counter identify theft.
But spear phishing - the practice of sending very targeted fraudulent emails - is tricky to stop. If spam filters miss a message and certain email authentication protocols aren't employed, users aren't a reliable defense against clicking on something malicious. And it's even harder to stop if the attackers have already compromised a legitimate email account within an organization.
In February, the IRS warned of one of the most dangerous phishing scams it had ever seen.
The attackers would first target human resources and personnel officials, requesting batches of W2s, the annual wage and salary reports required to file a tax return. Those forms contain enough personal information to file fraudulent requests for tax refunds.
If a company provided that information, the fraudsters would come back with a more aggressive ploy: wire transfers. By pretending to be either a legitimate employee or a supplier, the attackers attempted to convince the finance department to wire money to an account.