Latest Phishing Email to Target Tax Professionals Uses Spoofed Emails from Education Providers

In the latest phishing scam aimed at tax professionals, the IRS warns that a fake email issued in the name of a professional education provider for preparers is making the rounds (Security Summit Warns of New Phishing Email Targeting Tax Pros, IR-2017-111). 

Unfortunately, the internet’s system for handing electronic mail was never designed with security in mind, and it is relatively trivial to “fake” a from address to make a message appear to come from a legitimate source.  No access is needed to the systems or servers of the spoofed organization in order to pull off this fraud which makes it even more difficult to deal with.  Also, it is also trivial to “borrow” graphics from legitimate web sites and to make the email look just like an actual email from the organization.

In this email, the firm/organization that provides professional education indicates there is a problem with the user’s account and, in order to correct their account (and presumably allow the preparer to get credit for coursework) a large amount of personal and professional information is requested.

The IRS news release provides a copy of the email currently being used:

In our database, there is a failure, we need your information about your account.

In addition, we need a photo of the driver's license, send all the data to the letter. Please do it as soon as possible, this will help us to revive the account.

*Company Name *

*EServices Username *

*EServices Password *

*EServices Pin *

*CAF number*

*Answers to a secret question*

*EIN Number *

*Business Name

*Owner/Principal Name *

*Owner/Principal DOB *

*Owner/Principal SSN *

*Prior Years AGI

Mother's Maiden Name

An education provider, be it a state CPA society, the AICPA, or a private provider (like Loscalzo Institute or our related organizations) has no need for the vast majority of the requested information.  However, as should be clear, such information would allow the party receiving it to masquerade as the professional, both for purposes of filing fraudulent returns and for more general identity theft actions against that individual.

As well, if any of the above information was actually needed to be provided to any organization (be it an education provider, a financial institution or other organization), prudence suggests a user should never click a link provided in such an email but rather log onto the entity’s website by tying the organization’s web address into the browser (such as http://www.loscalzo.com) and then check the account there.

If a professional has fallen victim to such a ruse, the IRS provides the following information:

If you received or fell victim to the scam email, forward a copy to phishing@irs.gov. If you disclosed any credential information, contact the e-Services Help Desk to reset your password. If you disclosed information and taxpayer data was stolen, contact your local stakeholder liaison.

As well, in most states if personal information has been potentially exposed, state laws will require disclosure to all potentially affected individuals.  That could include not just clients, but other individuals whose personal information might be found in client information (such as employees if the outsider potentially gained access to information found in W-2s prepared by the professional for the client).  The professional also should take action to secure his/her own financial and other online accounts.