On Thursday, the IRS warned tax practitioners not to fall for the latest phishing scheme, involving emails from scammers posing as state accounting and professional associations (IR-2018-125). At the time of the IRS alert, practitioners in Illinois, Iowa, New Jersey, and North Carolina had been targeted, and the IRS had received reports of one involving a Canadian accounting association.
The scam is aimed at getting practitioners to disclose their usernames and passwords, using the following "awkwardly worded" language: "We kindly request that you follow this link HERE and sign in with your email to view this information from (name of accounting association) to all active members. This announcement has been updated for your kind information through our secure information sharing portal which is linked to your email server."
The IRS cautioned practitioners to be alert to any type of email scam because cybercriminals often change their tactics.
The IRS advised tax practitioners who are members of professional associations to go directly to the associations' websites and not open any links or attachments in email. Practitioners who receive suspicious emails should forward them to email@example.com.
The IRS recommends that practitioners remain vigilant against any scam by implementing the following safeguards:
- Practitioners should learn how to recognize phishing emails, especially those purporting to be from the IRS, IRS e-Services, a tax software provider, or cloud storage provider. Practitioners should never click on a link or open any attachment from a suspicious email. The IRS never first contacts a tax professional using email.
- Practitioners should create a data security plan using these resources: IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: The Fundamentals, published by the National Institute of Standards and Technology.
- Review internal controls:
- Practitioners should install anti-malware/anti-virus security software on all devices, including laptops, desktops, routers, tablets, and phones, and make sure software is set to automatically update.
- Practitioners should create passwords at least eight characters long, although longer is better. In addition, it is important to use different passwords for each account and use special and alphanumeric characters and phrases. All wireless devices should be password-protected. To keep track of all these passwords, consider getting a password manager program.
- Practitioners should encrypt all sensitive files/emails and use strong passwords.
- Practitioners should back up sensitive data to a safe and secure external source not connected full time to a network.
- Practitioners should wipe clean or destroy old computer hard drives and printers that contain sensitive data, as these are ripe for misuse otherwise.
- Practitioners should limit access to taxpayer data to only those individuals who need to know.
- Practitioners should keep track of their IRS e-Services account, checking weekly for the number of returns filed with the practitioner's electronic filing identification number.
- Practitioners should report any data theft to the appropriate IRS Stakeholder Liaison.
- Practitioners should subscribe to the IRS's e-News for Tax Professionals, Quick Alerts, and social media.
— Sally P. Schreiber (Sally.Schreiber@aicpa-cima.com) is a JofA senior editor.