Another security issue has arisen in the tax arena, this time targeted not at the IRS, but rather at tax preparers.  In Issue 2016-15 of e-News for Tax Professionals newsletter published by the IRS the agency warned of criminals targeting tax professionals to take control of their systems to file fraudulent returns using the client’s information and redirect the fraudulent refunds to accounts the criminals control.

The text of the article is provided below:

In advance of the tax deadline, the Internal Revenue Service today warned tax professionals of a new emerging scam in which cybercriminals obtain remote control of preparers’ computer systems, complete and file client tax returns and redirect refunds to thieves’ accounts.

Although the IRS knows of a handful of cases to date, this scam has potential to impact the filing of fraudulent returns in advance of the April tax deadline and is yet another example of tax professionals being targeted by identity theft criminals. 

The IRS urges all tax preparers to take the following steps:

• Run a security “deep scan” to search for viruses and malware
• Strengthen passwords for both computer access and software access; make sure your password is a minimum of 8 digits (more is better) with a mix of numbers, letters and special characters
• Be alert for phishing scams: Do not click on links or open attachments from unknown senders
• Educate all staff members about the dangers of phishing scams in the form of emails, texts and calls

Review any software that your employees use to remotely access your network and/or your IT support vendor uses to remotely troubleshoot technical problems and support your systems. Remote access software is a potential target for bad actors to gain entry and take control of a machine. Tax professionals should review Publication 4557, Safeguarding Taxpayer Data, A Guide for Your Business, which provides a checklist to help safeguard taxpayer information and enhance office security.

The IRS’s suggested steps are the minimum that CPA firms and CPAs need to take in today’s environment, not only to protect against this threat but also against other attempts to either threaten the CPA’s IT systems or surreptitiously obtain information on the firm’s clients.

The deep security scan, while it sounds like the most promising step, is probably the least likely to uncover the problem.  However it is true that most malware scanning software has an option to run a more thorough scan and doing so on regular basis is likely prudent.  However note that most malware will quickly attempt to disable the security software or otherwise hide from it—and the malware is generally tested against the major programs.  While the vendors quite often do later update the software to harden the program against the attack, that hardening may not make any difference if the malware has prevented your security software from obtaining updates.

Setting strong passwords for both accessing the computer system and software (like tax preparation systems) is an important step.  It won’t necessarily stop all attacks, since most are going to be “let in” by the user who has already logged in, but it will make it easier to prevent situations where third parties (such as janitorial vendors) are able to access machines or programs and install the control programs.  Similarly, good passwords on software provides a partial roadblock, since someone getting access to the machine can’t immediately start using the software.

Certainly no computer should simply power up to the desktop without requiring the user to log in and the passwords used to log in should not be obvious (password is clearly a bad one), nor should be they be written down on a note next to the machine.

Remote access software is also a potential gotcha for a couple of reasons.  First, as the IRS notes, such software (including software used by IT and other support vendors) has been used to gain access to systems.  Second, by definition it has to be open to the outside world.  Thus the method of authentication must be rock solid—and “security by obscurity” (such as using a nonstandard port) is not anywhere near sufficient.

Preferably access is protected either by the use of a key installed on machines authorized to “tunnel in” (so that only those are allowed entry) or the system is secured by a strong password and two-factor authentication systems (where a code is generated by a program running on the outside user’s smartphone or a code is sent by text to that person that must be entered to log into the system).

But the real protection comes from the last two suggestions—all users must be trained on the risks of phishing scams that attempt to get users to click on attachments or visit web sites.  The one point I disagree with the IRS’s advice on regards the IRS’s limiting the advice to only mail from “unknown senders.”  Unfortunately phishing emails often will be created when a criminal gets a copy of a client’s contact list, so the payload may be found in an email coming from (but not actually sent by) a known sender.

The most important suggestion is the latter—there must be training given to all members of the firm regarding the dangers of these scams, and that they won’t only come via email or websites.  Phone calls, faxes, texts, etc. can be used as part of a program to obtain information that can eventually be used to take over a computer system.