IRS Issues Urgent Warning for Tax Professionals and Businesses: Beware of Spearphishing Scams

The Internal Revenue Service (IRS) has sounded the alarm, warning tax professionals and businesses to be on high alert for spearphishing scams targeting sensitive client data, tax software preparation credentials, and tax preparer identities. These cyberattacks are part of this year’s “Dirty Dozen” list, a compilation of the most dangerous tax scams.

Spearphishing scams are tailored phishing attempts aimed at specific organizations or businesses, and tax professionals are a prime target. In response, the IRS, state tax agencies, and the nation’s tax industry have joined forces under the Security Summit initiative to combat tax-related identity theft and raise awareness about these common scams.

IRS Commissioner Danny Werfel emphasizes the importance of maintaining strong defenses against cyberattacks like spearphishing. “The information these businesses have on their systems is extremely valuable to an identity thief looking to steal identities and file fraudulent tax returns,” he said. By taking simple precautions when opening emails, clicking on links, or sharing sensitive client data, tax professionals and businesses can significantly reduce their risk of falling victim to these scams.

To avoid spearphishing, the IRS recommends never clicking on suspicious links, double-checking requests with the original sender, and staying vigilant year-round, not just during filing season. Tax professionals should also be aware of the “New Client” scam, where scammers impersonate potential clients and send malicious attachments or URLs to gain access to sensitive client information.

Businesses, particularly those with payroll or accounting departments, should watch out for spearphishing scams requesting W-2 information for all employees. To mitigate this risk, the IRS suggests implementing a two-person review process for such requests and using official channels, like an employer’s Human Resources portal, for all payroll inquiries.

To report phishing or spearphishing scams, individuals should email phishing@irs.gov with the email or text/SMS as an attachment, including the caller ID (email or phone number), date, time, and time zone, and the number that received the message. Taxpayers can also report scams to the Treasury Inspector General for Tax Administration or the Internet Crime Complaint Center. The IRS’s Report Phishing and Online Scams page and the Federal Communications Commission’s Smartphone Security Checker provide additional resources for combatting these threats.

If you suspect someone of promoting improper and abusive tax schemes or deliberately preparing improper tax returns, report them using Form 14242 and send it to the IRS Lead Development Center in the Office of Promoter Investigations. Alternatively, you can submit the information to the IRS Whistleblower Office for a possible monetary reward.

Stay informed and vigilant to protect yourself, your business, and your clients from these dangerous tax scams.

According to www.socinvestigation.com, HTML smuggling has been used in targeted, spear-phishing email campaigns that deliver banking Trojans (such as Mekotio), remote access Trojans (RATs) like AsyncRAT/NJRAT, and Trickbot.

Following are examples of malwares that can allow bad actors to gain control of affected devices and deliver ransomware or other payloads.