On Aug. 11, 2016, the IRS issued a news release warning tax professionals of a phishing scam that specifically targets them, rather than their clients. This new scam takes the form of an email pretending to be from the practitioner's tax software provider that asks the practitioner to download and install an important software update by clicking on a link.
Once targeted tax professionals click on the embedded link, they are directed to a website that prompts them to download the software update. The scammers appear to have carefully labeled the file to be downloaded with the actual name of the tax preparation software, making this scam particularly hard to detect. The tax professional would believe he or she had downloaded a critical update when in fact the download contains a program designed to track the tax professional's key strokes.
Keystroke tracking is particularly dangerous for a tax preparer because it allows the scammer to obtain clients' names, Social Security numbers, adjusted gross income, and other sensitive taxpayer data (even perhaps their bank account information if entered by the preparer for direct deposit of refunds) as well as the tax return preparer's login information, passwords, and other personal data.
I have also seen emails and faxes sent to practitioners purporting to be from the IRS, including a fake Form W-8BEN, Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding and Reporting (Individuals), to be filled out and faxed in (to a non-IRS fax number) together with a copy of a client's passport. There may be text in the email that the prior Form W-8BEN received was not properly filled out or was not legible. This form would also give incredibly detailed information that could be used for nefarious purposes in the wrong hands.
Another recent scam reported by the IRS is an email sent to taxpayers purportedly containing CP2000 notices, which are used in the IRS's Automated Underreporter Program. The notices contain an IRS tax bill supposedly related to the Patient Protection and Affordable Care Act and 2014 health care coverage. They use an Austin, Texas, post office box and request payments to the "I.R.S." at the "Austin Processing Center." The email also contains a payment link.
The scam that seems to have terrified people the most, though, remains the threatening IRS phone call where the fake IRS agent tells the taxpayer that someone is coming to arrest the taxpayer unless he or she wires money immediately. These calls can be very convincing because the taxpayer's caller ID may display that the caller is the IRS and the fake agent may know the last four digits of the taxpayer's Social Security number. While the current version of this scam seems to be directed mainly at taxpayers, there are reports that cybercriminals have targeted tax practitioners as well.
The Federal Trade Commission (FTC) has warned professionals about a scam from a group that calls itself the Fair Guide, which has already scammed businesses out of millions of dollars. The Fair Guide mails letters to firms, asking them to update their contact information for a trade show or exhibition they attended or planned to attend. The form was simple and requested the recipient to update the form, sign it, and send it back. Buried in the fine print at the bottom of the form was an agreement to pay $1,717 every year to list online with Fair Guide—which has no connection to any trade show. Lawyers and accountants are at particular risk for this scam, as they are continually barraged with updating directories for various legitimate professional organizations, so this can easily slip under the radar.
Some practical advice for practitioners from the field
Given the magnitude of the risk to clients, accountants and tax attorneys are well-advised to take care when downloading software updates and when clicking on links from third parties. Consider implementing a process where all updates come from a single point within the organization. Be very cautious when engaging in "free trials" of software, particularly where the company requires a credit card number to try the software for "free."
Because of busy work schedules, practitioners can forget to do things they would probably do if they received the email on their home account. Take the time to hover over the link before clicking (does it really look like the correct website)? If the link appears to be legitimate and shows up in the text of the email (such as irs.gov/paydirect), still hover over the link (the text could be a picture). Check what comes after the dot, i.e., the "." (Is it taking you to .com or .org instead of .gov?) If an email got caught by the spam blocker, don't be too hasty to pull it out and open it.
Once a practitioner has identified an email scammer, forward phishing emails to email@example.com, which is operated by the FTC. Another place to report phishing emails is firstname.lastname@example.org, which is a working group that fights phishing. Practitioners who mistakenly clicked on the link in a phishing email or provided information should go to the FTC's identity theft website to take steps to minimize risk. If the email purports to be from the IRS, forward the email to email@example.com.
Practitioners who receive a call should not give the caller the client's personal data and should not trust caller ID anymore. Write down all of the caller's details (such as the name, ID number, and phone number of the caller). Verify the caller is in fact an IRS agent and the number is in fact an IRS phone number before proceeding. Call back to a number that the practitioner knows is an IRS number or call 800-366-4484 to determine if the caller is an IRS employee with a legitimate need to contact the practitioner. If the call is a scam, report it to the Treasury Inspector General for Tax Administration at tigta.gov and to the FTC at ftc.gov/complaint.
Warn clients that the IRS will contact them by mail first, not by phone. Reassure a frightened client that the call is a scam, as the IRS does not demand personal information (such as a credit card number) over the phone nor would they require payment by Western Union, MoneyGram, or iTunes gift card. Clients who were threatened with arrest or a lawsuit are usually the most frightened. Those calls are the easiest for practitioners to detect as initiated by a scammer, as the IRS would never threaten in this manner.
Practitioners who receive a robocall with a sales pitch should hang up immediately and report it to the FTC. Don't press any buttons that the call says would remove you from a list or allow you to speak to a person to request removal. The FTC reports that doing so will trigger even more calls.
Make sure the firm has a single point person to handle directory listings and subscriptions. That person should be familiar with the organizations the firm uses and not deviate without specific approval. That person should double-check against the known mailing address, fax, or phone number of the organization before blindly filling out any document. That person should also carefully read the fine print before agreeing to bind the organization. File a complaint with the FTC at ftc.gov/complaint to report any business directory scam.
Having simple procedures in place can make all the difference for clients. Practitioners should get in the habit of being incredibly cautious: Unless you know who it is from and trust the source, don't open it, don't click on it, and don't disclose any data. For more hints and helpful tricks, go to irs.gov/uac/report-phishing and consumer.ftc.gov/articles/0003-phishing.
Shannon Smith Retzke, Esq., is a tax attorney at Withers Bergman LLP in New Haven, Conn., where she provides tax and reporting advice to high-net-worth individuals regarding non-U.S. bank accounts, FBARs, FATCA, and tax planning. She represents taxpayers in the on and offshore voluntary disclosure program, on and offshore streamlined program, as well as in income tax, partnership tax, and estate tax audits.