IRS warns of new spear-phishing tactics targeting CPAs and income tax professionals
Although the April 15 income tax filing deadline has passed, it is not the time for CPAs and income tax professionals to let their guard down. Every year, the Internal Revenue Service publishes its Dirty Dozen list, detailing "the worst of the worst" tax scams in an effort to make professionals and taxpayers aware of risks they face from bad actors. The 2024 Dirty Dozen list includes a warning regarding the prevalence of spear-phishing attacks used by fraudsters to gain access to sensitive taxpayer information.
Businesses and tax professionals are no stranger to phishing attacks. In fact, both “phishing” (fraudulent emails created by scammers with the intention of gaining personal information or access to an account) and “smishing” (phishing carried out via SMS, or text messaging) were included on 2023's Dirty Dozen list. While both phishing and smishing remain a risk to consumer information, “spear-phishing,” a more targeted form of phishing, is raising IRS alarm bells.
The newest spear-phishing trend to grab the IRS’s attention is the so-called “new client” scam. In this type of attack, the bad actor emails the professional or a member of their staff posing as a new, potential client. If the target responds, the bad actor's follow-up email will include an attachment or URL containing malware. If clicked, the malware will be used to obtain login credentials for the email account, or in some cases, provide the bad actor with access to other systems. These scams peak around tax season, but remain a prevalent threat year-round.
The IRS publication also identifies red flags to look out for and precautions tax professionals can take to help avoid these attacks. Red flags include emails containing grammatical errors, poorly constructed sentences, and unusual word choices. Even if an email originates from an email account the tax professional or business is familiar with, all emails should be carefully reviewed for unusual behavior or requests, and grammatical or spelling errors.
Additionally, the IRS recommends the following actions for tax professionals and businesses to protect sensitive client information:
- never click suspicious links or download attachments from unknown senders, including potential clients
- call the potential client to confirm the email is from them
- send only password-protected and encrypted documents through email
- protect email accounts with strong passwords and two-factor authentication
- use security software products with anti-phishing tools
- be vigilant year-round, not just during tax filing season
- prioritize education and training of employees
Many of these recommendations are best practices that all businesses should implement, but they are particularly important for CPAs and other tax professionals, who remain attractive targets for cybercriminals.
The IRS has created numerous resources for tax professionals to protect against and respond to security incidents, identify theft, and data loss, which are available on the IRS website: Identity Theft Information for Tax Professionals.
Additionally, if you are a CPA, income tax preparer, or other tax professional with questions about your company’s compliance with cyber regulations, concerns about vulnerability to a cyberattack, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins' national data privacy and cybersecurity team.
Hannah Babinski, a law clerk at McDonald Hopkins, assisted with the creation of this article.