Tax Security 2.0 – A “Taxes-Security-Together” Checklist – Step 3

Notice: Historical Content


This is an archival or historical document and may not reflect current law, policies or procedures.

IRS, Security Summit partners alert tax professionals to the risks posed by phishing emails; education key to protecting taxpayer data

IR-2019-136, July 31, 2019

WASHINGTON — The IRS, states and tax industry partners today warned tax professionals to beware of the continuing threat of phishing emails, which remain the most common tactic used by cybercriminals to steal sensitive data.

The reminder came as the IRS and its Security Summit partners urged tax professionals to take time this summer to review their data security protections. To help this effort, the Summit partners prepared a special “Taxes-Security-Together” Checklist as a starting point.

“You can take all the cybersecurity steps in the world, but tax professionals and others in the business world should remember you are only as safe as your least educated employee,” said Chuck Rettig, IRS Commissioner. “Cybercriminals use phishing emails and malware to gain control of computer systems or to steal usernames and passwords. These can provide a treasure trove of information that can lead to tax-related identity theft.”

Educating personnel on the dangers of phishing emails is the third item on the “Taxes-Security-Together” Checklist. This summer awareness initiative also has covered deploying the “Security Six” basic steps to protect computers and email as well as creating a data security plan.

Although the Security Summit -- a partnership between the IRS, states and the private-sector tax community -- is making major progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices continue to be seen across the nation. Thieves use stolen data from tax practitioners to create fraudulent returns that are harder for the IRS and Summit partners to detect.

Tax pros: Educate yourself on phishing emails

More than 90% of all data thefts start with a phishing email. The employee may open a link that takes them to a fake site or open an attachment that is embedded with malware that secretly downloads onto their computers.

The IRS often sees tax professionals victimized after being targeted with a tactic called spear phishing. The objective of a spear phishing email is to pose as a trusted source and “bait” the recipient into opening an embedded link or an attachment. The email may make an urgent plea to the tax pro to update an account immediately. A link may seem to go to another trusted website, for example a cloud storage or tax software provider login page, but it’s actually a website controlled by the thief.

An attachment may contain malicious software called keylogging, which secretly infects computers and provides the thief with the ability to see every keystroke. Thieves can steal passwords to various accounts or even take remote control of computers, enabling them to steal taxpayer data.

Common spear phishing scams seen by the IRS include thieves posing as prospective clients, sending unsolicited emails to tax professionals. After an exchange of emails, the thief sends an email with an attachment, claiming it contains the tax information needed to prepare a return. Instead, it contains spyware that allows thieves to track each keystroke.

The IRS also sees thieves posing as tax software providers or data storage providers with emails containing links that go to web pages that mirror real sites. The thieves’ goal is to trick tax professionals into entering their usernames and passwords into these fake sites, which the crooks then steal.

Another trick used by thieves is rather than stealing the data, they encrypt it, a practice known as ransomware. Once they encrypt the data, thieves demand a ransom in return for the code to unencrypt the data. The Federal Bureau of Investigation warns users not to pay the ransom because thieves often do not provide the code. The FBI has called ransomware attacks a growing threat to businesses and others. 

Educated employees are the key to avoiding phishing scams, and office systems are only as safe as the least informed employee. These simple steps also can help protect against stolen data:

  • Use separate personal and business email accounts; protect email accounts with strong passwords and two-factor authentication if available.
  • Install an anti-phishing tool bar to help identify known phishing sites. Anti-phishing tools may be included in security software products.
  • Use security software to help protect systems from malware and scan emails for viruses.
  • Never open or download attachments from unknown senders, including potential clients; make contact first by phone, for example.
  • Send only password-protected and encrypted documents if files must be shared with clients via email.
  • Do not respond to suspicious or unknown emails; if IRS-related, forward to phishing@irs.gov.

Additional resources

The Security Summit reminds all tax professionals that they must have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. Get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer DataPDF, and Small Business Information Security: the FundamentalsPDF by the National Institute of Standards and Technology.

Publication 5293, Data Security Resource Guide for Tax ProfessionalsPDF, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media

The Taxes-Security-Together Checklist

During this special Security Summit series, the checklist highlights these key areas for tax professionals: