IR-2017-119, July 11, 2017
WASHINGTON — The IRS, state tax agencies and the tax industry today warned tax professionals to beware of spear phishing emails, a common tactic used by cybercriminals to target practitioners.
Spear phishing emails, often tailored to individual practitioners, result in stolen taxpayer data and fraudulent tax returns filed in the names of individual and business clients.
Information about spear phishing kicks off a new “Don’t Take the Bait” awareness campaign aimed at tax professionals. This is the first of a special 10-part series that will run each week through mid-September.
“We are seeing repeated instances of cybercriminals targeting tax professionals and obtaining sensitive client information that can be used to file fraudulent tax returns. Spear phishing emails are a common way to target tax professionals,” said IRS Commissioner John Koskinen. “We urge practitioners to review this information and take steps to protect themselves and their clients.”
The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to learn to recognize and avoid spear phishing emails. See Protect Your Clients; Protect Yourself for more information.
Phishing emails target a broad group of users in hopes of catching a few victims. Spear phishing emails pose as familiar entities, and the cybercriminals have done extensive research and homework in order to target a specific audience. Tax professionals and taxpayers are among the groups that regularly receive phishing emails.
The security software firm Trend Micro reports that 91 percent of all cyberattacks and resulting data breaches begin with a spear phishing email. The email, disguised as being from a trusted source, may seek to have victims voluntarily disclose sensitive information such as passwords. Or, it may encourage people to open a link or attachment that actually downloads malware onto the computer.
Here’s an example of a spear phishing email that targeted a tax professional during the 2017 filing season. Note the use of “Tax return” in the subject line to bait the tax preparer as the sender impersonates a prospective client: