Safeguarding Taxpayer Data – Avoid Scams

Notice: Historical Content

This is an archival or historical document and may not reflect current law, policies or procedures.

Protect Your Clients; Protect Yourself Tax Tip Number 2, December 14, 2016

Tax return preparers should beware of various ruses and schemes used by cybercriminals. These scams allow criminals to gain access to passwords or computer systems which allows them to steal taxpayer data. Many schemes are currently making the rounds.

Protect your clients and yourself from these ongoing and increasingly sophisticated efforts to steal data.

How serious is this threat? Here are a few examples of criminal scams and schemes intent on stealing your information from just the past few months:

  • In April and August of 2016, the IRS sent emergency alerts to tax professionals about criminals using remote access technology to gain control of preparers’ computers. The criminals used the preparers’ systems to complete client tax returns, file them with the IRS and then direct the refunds to their personal bank accounts. How the criminals gained control of preparers’ computers is under investigation. However, the incident shows the value of strong passwords, not only to access computers and each client file but also to password-protected wireless systems.
  • One successful scheme aimed at payroll professionals could easily have migrated to tax preparers. A criminal created a “spoofing” email to appear as though it came from a company executive. The email requested Form W-2 information for each employee. Because of this scam, tens of thousands of Forms W-2 were sent to identity thieves.
  • One ruse tries to make tax preparers think a client is emailing with follow-up information from a previous discussion. The included attachment doesn’t contain tax information; it contains malware designed to infect computers. The conversational tone of the phishing email tries to trick the preparer into thinking he had an earlier conversation with this client and now the ‘client’ is following up with requested tax information.
  • Cybercriminals often pose as the IRS and request information that the IRS would never ask for via email or text. One popular scam tries to trick preparers into providing their password information for IRS e-Services accounts. The email to tax preparers asks them to update their e-Services accounts. It either infects the preparers’ computers with malware that tracks keystrokes or it sends preparers to a fake e-Services page where they enter password information. If you are in doubt about an e-services or IRS Quick Alert communication, go directly to the application through Do not click on any link or attachment from a suspicious e-mail.

Scams aimed at tax preparers evolve each year. Tax professionals must be aware that any email can be a possible ploy from a clever criminal. This is just a sampling of scams. See Publication 4557 PDF, Safeguarding Taxpayer Data, for steps to protect your client and protect your business.

This is one in a series of special security awareness tax tips for tax professionals. The IRS and its Security Summit partners launched the “Protect Your Clients; Protect Yourself” campaign to raise awareness among tax professionals about the threats posed by cybercriminals.

The Security Summit is a joint project by the IRS, state tax agencies and the tax community to combat identity theft. Also see, “Taxes.Security.Together.” for information directed to taxpayers.