IRS Warn Tax Pros Of a New Phishing Email Scam That Impersonates and Attempts to Steal EFINs

Last week, the IRS and Summit partners issued an urgent EFIN scam alert to tax professionals.


"Phishing scams are the most common tool used by identity thieves to trick tax professionals into disclosing sensitive information, and we often see increased activity during filing season," said IRS Commissioner Chuck Rettig. "Tax professionals must remain vigilant. The scammers are very active and very creative."


According to the IRS, latest scam email says it is from "IRS Tax E-Filing" and carries the subject line "Verifying your EFIN before e-filing."


Cybersecurity experts in email phishing weighed-in:


Tom Pendergast, Chief Learning Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education:

“What’s worse than a scammer going after an individual tax filer? One who goes after tax filing professionals, hoping to gain access to the bank accounts of many more Americans keyed up about paying taxes in a difficult financial climate. That’s why tax filers have to be doubly skeptical of any attempted contact related to tax IDs.

The good thing is, the core advice for taxpayers and tax filers alike is: never respond directly to emails or phone calls requesting information or providing links—instead, use known access sites or contact methods to conduct business; establish a trusted relationship with government agencies that require a unique password and multi-factor authentication; report suspected phishing attempts to the appropriate agency.”

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions:

“Tax season is something malicious actors use to their advantage every single year. We most often hear about phishing campaigns that target consumers, but now we’re seeing more attacks like this one focusing on tax professionals. By targeting tax firms, an attacker could gain access to highly sensitive tax data such as social security numbers and bank account information for that firm’s entire customer base.

People access their work email on a smartphone or tablet just as much as they do on a computer. Attackers know this and are creating phishing campaigns like this to take advantage of the mobile interface that makes it hard to spot a malicious message. Unless you tap into the sender name, mobile email clients only display the sender name and not the reply-to address

Social engineering attacks are more difficult to spot on mobile. They’re also easier to deliver, as there are countless ways to send messages on a mobile device. For example, SMS messages have less stringent spam filtering and social media platforms allow attackers to build convincing profiles to distribute malicious content. According to Lookout data, about 15% of financial services employees encountered a mobile phishing attempt each quarter in 2020.

The best first-line defense against an attack like this is training. Be sure to constantly run security training and include mobile in those sessions. Simple steps like always checking the sender’s reply-to address or asking IT before replying to a message could save your organization from being the victim of the next big data breach. Any text, email, WhatsApp message, or any communication that creates a time-sensitive situation should be a red flag. Approach these messages with extreme caution or go straight to your IT and security teams to have them vet it first. Communication from the IRS and other tax agencies traditionally comes through the mail. Even then, you should be sure to validate any communication you receive.”

Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers:

“Identity theft is the biggest concern with filing taxes. This means that someone files taxes on your behalf and receives your tax refund. Your claim would be rejected leaving you to contend with proving your identity to the IRS and hoping to get your refund someone else already collected. Normally the recommendation is to not share personal information or sensitive data like social security numbers, however, because of major hacks we have seen in the past, this information may well already be on the dark web for sale to anyone who wants it.

The second risk is phishing where someone were to call or email you and demand a payment with the hopes that you provided bank account or credit card information. The IRS would never call or email directly requesting a payment or would it ask for personal information online. It is best to always ignore all of these calls and reach out to the IRS directly if there are any questions.

The final risk is malware attacks from email attachments that can compromise your local system to gain access to sensitive information. The IRS would never send an email with an attachment and all of these should be ignored. It is best to reach out to organizations, like the IRS, directly if there are any questions. A risk is malware attacks from links and attachments that can compromise your local system to gain access to sensitive information.”

Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions:

“The reason why consumers still fall for tax scams is quite simple: the emails are so authentic looking it is difficult for consumers to tell the difference from the real thing. These scams are so widespread because they work and it is easy money for cyber criminals. If you have a large target list, and many of the victims are unable to tell the difference between a scam and the authentic notices, then even if a small number of people fall for such a scam, it is still extremely profitable for the cyber criminals. Cyber criminals use a lack of good cyber hygiene, fear of breaking the law and financial penalties if unpaid, as scare tactics which continue to prove effective.

There are many ways to stop these scams from being successful. The quickest is to develop better cyber security hygiene by educating consumers on ways to detect email scams. Another way to stop and prevent such scams is to use a good email spam filter that will help ensure such email scams do not make it to the email inbox. If an email does make it into the inbox, then go to the website and call the number to check if it is authentic and do not call the number if provided within the email as, most likely, it is fake also. Check the email sender address and not the display name. Check the email for spelling mistakes. Check any hyperlink addresses by hovering over them to see where they send you. However, do not click on the links. Also check your personal details for accuracy. These simple tips can help avoid a potential cyber security nightmare.”


###