Tax season is here, which means tax fraud season is here, too.  This year, the Internal Revenue Service (IRS) is warning tax practitioners about a new phishing scam targeted at them and reminding all employers about fraudsters’ continued use of a scam to collect Form W-2 from entire companies.

Cybercriminals have traditionally targeted taxpayers, in an attempt to obtain their personal information, through phone or email scams.  Perhaps due to advances made in educating the public about identity theft, cybercriminals are now shifting tactics and targeting tax professionals to obtain the same sensitive, personal information.

Here is how the scam targeting tax preparers works:  Fraudsters send introductory emails to tax professionals posing as potential clients to gain access to the professionals’ computer systems and collect the personal information of clients.  Some emails reported to the IRS include:

  • “Happy new year to you and yours. I want you to help us file our tax returns this year as our previous CPA passed away in October.  How much will this cost us?  Hope to hear from you soon.”
  • “A friend of mine introduced you to me regarding the job you did for him on his 2017 tax. I tried to reach you by phone earlier today but it was not connecting, attached is my information needed for my tax to be filed.  If you need more details please feel free to contact me.”

The email may contain a phishing URL or an attachment containing a phishing URL claiming the individual’s tax data is enclosed.  Once the recipient clicks the link, malware is secretly downloaded that allows the cybercriminal to track keystrokes or gain remote access to the recipient’s computer and steal personal information.  That information can then be used to file fraudulent tax returns or sold on the Dark Web.

In a twist, a few cases have seen fraudulent returns deposited in taxpayers’ real bank accounts.  Then, a person posing as a debt collection agency official contacts the taxpayer, says a refund has been deposited in error, and asks the taxpayer to forward the funds to the caller.

One scam that is not new about which IRS officials are again warning employers is a phishing scam targeting payroll or human resources departments in an attempt to obtain employees’ Forms W-2.  This scam first appeared in 2016, and the IRS does not expect it to slow down in 2018, calling it “one of the most dangerous phishing emails in the tax community.”

As we reported last year, here is how the Form W-2 scam works:  Cybercriminals pose as an executive in a company in an email to payroll or human resources and request copies of Forms W-2 for all employees.  Fraudsters have even used an executive’s signature block in the email to increase legitimacy.

The initial email to the employee may be a simple “Hi, are you working today?” before the fraudster requests employee information.  Emails typically include language such as:

  • “Kindly send me the individual 2017 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “I want you to send me the list of W-2 copy of employee’s wage and tax statement for 2017. I need them in PDF file type, you can send it as an attachment.  Kindly prepare the lists and email them to me asap.”

During the last two filing seasons, cybercriminals have targeted at all types of employers, including large and small businesses, public schools and universities, hospitals, tribal governments, and charities, meaning that all employers should take steps to educate their employees and safeguard employees’ personal information.  Employers may also want to consider limiting those employees who handle Form W-2 requests and requiring additional verification procedures before emailing Forms.

Regardless of the phishing method, the IRS has recommended a number of basic steps all employers should take—whether it be a small tax preparer or a large business:

  • Educate all employees about phishing emails and train them to not click on pop-ups or suspicious links.
  • Use strong, unique passwords.
  • Never take an email from a familiar source at face value.
  • Consider verbal confirmation by phone with the sender of an email before sending further information or accessing links or attachments.
  • Notify the IRS of all suspicious tax-related phishing emails (phishing@irs.gov for all phishing emails, and dataloss@irs.gov for Form W-2 scam emails).

Additional federal resources:

“Don’t Take the Bait” Security Awareness Campaign

Report Phishing and Online Scams

Tax Scams and Consumer Alerts

Our Data Privacy and Security team is currently assisting multiple clients in responding to nearly identical fraudulent requests for IRS Form W-2 information. Significantly, these clients are in a number of industries and are located in a variety of states, which confirms that this scam is widespread.

IRS Issues Warning About W-2 Scam

Earlier this month, the Internal Revenue Service (IRS) issued a warning that the Form W-2 e-mail phishing scam is circulating again and has grown to include a wider variety of industries this year.

What Is the Scam?

The criminals behind the W-2 phishing scam disguise an e-mail so it appears to be from a CEO or other executive within the company. In fact, some of the request e-mails contain signature lines that are identical to those in legitimate e-mails.  The e-mail is sent to an employee, typically in payroll or human resources, and asks for copies of the Forms W-2 or other sensitive employee information, including social security numbers.

Criminals attempt to get the Forms W-2 before employees have a chance to file their returns. This allows the criminal to file the return first and obtain the refund that should have gone to the employee.

In some cases, the W-2 request is combined with or followed by a request for money to be electronically transferred to third party accounts.

“This is one of the most dangerous e-mail phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns.  We need everyone’s help to turn the tide against this scheme,’’ said IRS Commissioner John Koskinen.  The IRS also warns that businesses that were victims last year are receiving scam e-mails again this year.

Prevention

Never respond to an e-mail that demands the immediate release of sensitive personal information or money without first independently verifying the identity of the sender.  Also, do not call any number supplied in the request e-mail as the form of verification because the criminals have set up phone banks that enable them to continue the ruse.  Instead, be sure to verify the request in person or use an internal phone number to speak directly with the (alleged) requestor.

If Your Company is a Target

If your company is targeted by a W-2 or wire transfer scam, you should report the attack to the IRS without responding to the scammer. Any W-2 scam e-mail can be forwarded to phishing@irs.gov with “W2 Scam” in the subject line. You should also file a complaint with the Internet Crime Complaint Center. For more information from the IRS visit www.irs.gov/identitytheft.

Further, if any inadvertent disclosure of sensitive personal information has been made in connection with this scam, report the incident to the IRS and law enforcement, such as the FBI, as soon as possible. You may also contact McGuireWoods for assistance.  We are currently working with clients to respond to these breaches and are very familiar with the response process, including any state notifications that may be required. We can also assist with reporting to law enforcement and the IRS.

With tax season around the corner, the Internal Revenue Service (IRS) has begun its yearly campaign to educate taxpayers on the importance of protecting their personal information.  However, a recent audit of the agency’s email use reveals the awkward truth that even the IRS does not always follow best practices when it comes to protecting taxpayers’ sensitive information.

On November 17, 2016, the Treasury Inspector General for Tax Administration (TIGTA) released its October report on an audit of emails sent by 80 randomly selected IRS employees in the Small Business/Self Employed (SB/SE) division during a four-week period in the spring of 2015.  The audit revealed that 39 of the 80 employees sent a total of 326 unencrypted emails containing 8,031 different taxpayers’ personally identifiable information (PII).

The Office of Management and Budget defines PII as any information that can be “used to distinguish or trace an individual’s identity,” such as names, Social Security numbers, birth dates, or tax return information.  The TIGTA report observed that loss, theft, or unauthorized disclosure of PII places individuals at risk for invasion of privacy and identity theft.

Of the 326 unencrypted emails identified by TIGTA, IRS staff sent 275 within the agency and 51 to non-IRS email accounts, including some emails to agents’ personal email accounts, for reasons that are unclear. Most of the internal emails were sent using the IRS’ Enterprise e-Fax system, which allows employees to fax documents from their computers, but which does not have encryption capability.

In its report, TIGTA extrapolated the results of the 80-employee sample to the entire IRS staff and estimated that, over the same four-week period, 11,416 IRS employees sent 95,396 unencrypted emails with private information of 2.4 million taxpayers. If this rate is typical, TIGTA determined, it could mean that the IRS annually sends more than 1.1 million unencrypted emails with private information of 28.2 million taxpayers.  The IRS has established penalties for employees who send unencrypted emails with taxpayers’ personal information, ranging from warning to termination; however, neither the TIGTA nor the IRS has said whether anyone has been disciplined.

In its response, the IRS noted that TIGTA’s review did not identify any instances where unencrypted information was sent to an unintended recipient or fell into the wrong hands.  Karen Schiller, Commissioner of the SB/SE division, also observed that, because most of the emails were sent internally, they remained “within the extensive protections of the IRS firewall” and therefore posed “a minimal risk of disclosure or access.”  Nonetheless, Schiller and the agency recognized that the TIGTA audit reveals areas where the IRS can improve, including in its use of encryption, and emphasized that the IRS is committed to ensuring the privacy and security of taxpayer information against external threats.

The inspector general’s report made several recommendations, including technology upgrades—such as encrypting emails by default and updates to the e-Fax system to allow it to handle encrypted messages, improved training for employees and managers, and disciplinary action for violators.

A separate TIGTA report from October, also released November 17, further revealed that the IRS failed to protect taxpayer information when it transferred data externally to other agencies and contractors.  TIGTA found that the IRS did not always share sensitive data through secure file transfer and identified a number of vulnerable IRS servers: 61 servers with “high-risk vulnerabilities,” 32 servers missing important security patches—of which four were “deemed as critical,” and 10 servers with outdated operating systems.

As April approaches, we will continue to monitor threats facing the privacy and security of taxpayer information and efforts by the IRS to educate the public—and its staff—on ways to guard against these threats.

As we recently reported, on October 20, the IRS announced the implementation of new measures developed in collaboration with state taxing authorities and tax industry leaders to prevent identity theft in refund fraud.  On November 19, the IRS announced the latest step in this collaborative effort that began in March.

The “Taxes. Security. Together.” campaign is designed to raise public awareness that even routine actions on the internet and personal devices can affect the safety of individuals’ financial and tax data.  Because the majority of tax returns are prepared on laptops, desktops, or smartphones, and because many will receive new devices during the holiday season, the campaign is designed to ensure that the public prepares taxes on secure devices.  “The IRS, the states, and the tax industry are putting in place even tougher safeguards for 2016,” said IRS Commissioner John Koskinen.  “But, we need the public’s help.  We need people to join with us and take an active role in protecting their personal and financial data from thieves.”

As part of the campaign, the IRS will release weekly tax tips on Mondays continuing through the start of tax season in January.  The tips focus on steps people can take to secure their personal devices, avoid phishing scams, and protect personal information.

On November 23, the IRS released the first Tax Tip, which outlined seven ways people can protect their computers:

  1. Understand and use security software, including essential tools such as a firewall, virus/malware protection, file encryption, anti-spam software, and pop-up blockers.
  2. Allow security software to update automatically to combat ever-evolving malware.
  3. When shopping or banking online, ensure that websites use encryption to protect your personal information by only using “https” websites, rather than “http.”
  4. Use strong passwords with at least 10 to 12 characters and a mix of letters, numbers, and special characters, and avoid using names, birthdays, or other common words.
  5. Secure your wireless network to prevent other computers from accessing and stealing information from your computer.
  6. Be cautious when using unsecured public wireless networks as sensitive information sent through websites or mobile apps while on unsecured public networks may be accessed by others.
  7. Avoid phishing attempts, and never reply to emails, texts, or pop-up messages asking for your personal information.

On November 30, the IRS released the second Tax Tip, which focused on ways to identify and avoid phishing and malware.  In phishing scams, criminals pose as a trusted person or organization, such as a friend, a bank, a credit card company, or the IRS, and make phone calls or send emails designed to trick people into sharing personal or financial information.  Through emails and websites, criminals can also infect computers with malware, which gives them access to personal devices, thereby enabling them to access sensitive files or track keyboard strokes to gain login information.  Thieves can then use the personal and financial information gained through these means to file fraudulent tax returns.

The IRS emphasized that no legitimate organization will ever ask for sensitive information through unsecured methods like email, and the IRS never sends unsolicited emails or makes calls threatening jail or lawsuits unless immediate payment is made.

The Tax Tip outlined six steps people can take to protect themselves from these schemes:

  1. Avoid suspicious emails that appear to be from the IRS or other companies, and do not click any links in emails you do not recognize.
  2. Beware of phishing scams that ask you to update or verify your accounts.
  3. Do not open attachments in emails you do not recognize.
  4. Download and install software only from websites you know and trust.
  5. Use security software to block pop-up ads, which can contain viruses.
  6. Ensure that other family members who use personal devices practice safe online and computer habits.

We will continue to track these Tax Tips as they are released until tax season begins in January.

Additional federal resources:

Subscribe to receive Tax Tips

Access released Tax Tips

Report phishing and online scams

IRS Publication 4524 – Security Awareness for Taxpayers

IRS Taxpayer Guide to Identify Theft

On October 20, 2015, the IRS, state taxing authorities, and leaders of the tax industry announced continued progress to expand and strengthen protection against identity theft in refund fraud for the 2016 tax season. “We are taking new steps upfront to protect taxpayers at the time they file and beyond,” said IRS Commissioner John Koskinen in announcing this development. “Thanks to the cooperative efforts taking place between the industry, the states and the IRS, we will have new tools in place this January to protect taxpayers during the 2016 filing season.”

(Tax-related identity theft occurs when someone uses a taxpayer’s stolen Social Security number to file a tax return claiming a fraudulent refund. Generally, an identity thief will use a taxpayer’s SSN to file a false return early in the year. The taxpayer may be unaware he or she is a victim until the taxpayer tries to file a tax return and learns one already has been filed using his or her SSN.)

The strengthened and expanded protections include the following: Continue Reading IRS, States, Industry Continue Progress to Protect Taxpayers from Identity Theft