Spear phishing emails remains the most common way data thieves enter tax practitioner’s digital networks and steal client information, according to the IRS.
Tax pros who fall victim to spear phishing voluntarily disclose password information or download malicious software that helps thieves breach their security systems, according to the IRS, state tax agencies and the nation’s tax industry.
Spear phishing emails differ from general phishing emails in that the thief has researched their target before sending an email. An email may appear to be from a colleague, a client, a cloud storage provider, tax software provider or the IRS or the states. The objective: to pose as a trusted source and bait the recipient into opening an embedded link or an attachment.
The email may make an urgent plea to update an account immediately; a link may seem to go to another trusted website, but it’s actually a website controlled by the thief. An attachment may contain malware called keylogging software that secretly infects computers and provides the thief with the ability to see every keystroke a user makes. Thieves can steal passwords to various accounts or even take remote control of computers.
The IRS and its Security Summit partners suggested a number of steps that tax preparers can take to protect against stolen data:
- Use separate personal and business email accounts
- Protect email accounts with strong passwords and two-factor authentication.
- Install an anti-phishing tool bar to help identify known phishing sites.
- Use security software.
- Never open or download attachments from unknown senders, including potential clients.
- If files must be shared, send only password-protected and encrypted documents.
Publication 5293, “Data Security Resource Guide for Tax Professionals,” provides a compilation of data theft information available on IRS.gov.