The IRS posted a Security Summit Alert in News Release IR-2017-126 regarding a new phishing scheme that has been reported to the agency that attempts to get usernames and passwords from tax professionals for their tax software provider accounts.  Unfortunately, one of the IRS’s suggestion to keep from getting caught arguably misses the mark and may make users more likely to fall for such scams.

Phishing is the attempt to get users to disclose various types of confidential information by using an email that appears to be legitimate.  The technique works around users who believe problems only occur if they open emails from “unknown” senders or who are simply harried and see what, on the surface, appears to be a reasonable request.

The newest scam is described in the release as follows:

This latest scam email variation comes with a subject line of “Software Support Update” and highlights an “Important Software System Upgrade.” It thanks recipients for continuing to trust the software provider to serve their tax preparation needs and mimics the software providers’ email templates.

The e-mail informs the recipients that due to a recent software upgrade, the preparer must revalidate their login credentials. It provides a link to a fictitious website that mirrors the software provider’s actual login page.

Instead of upgrading software, the tax professionals are providing their information to cybercriminals who use the stolen credentials to access the preparers’ accounts and to steal client information.

The sender will make the email look just like normal emails that come from the vendor in question by “borrowing” the graphics used in those emails and mimicking their formatting.  The sender may either create a “from” address that is “close” to the real vendor, or if the sender is at skilled in how email works, actually place the normal address the vendor uses to send email communications in the “from” line.

As the IRS notes, this attack goes for what’s most often the key weakness in any IT security system—the user—by taking advantage of the fact that the user is busy and just wants to get his/her projects completed.  So an email that looks like one the user has seen before and talks about a matter that, at first glance, seems reasonable simply gets processed without additional thought.

The release points out:

This sophisticated scam yet again displays cybercriminals’ tax savvy and underscores the need for tax professionals to take strong security measures to protect their clients and protect their business. This is the time of year when many software providers issue software upgrades and when tax professionals are working to meet the Oct. 15 deadline for extension filers.

The release reminds professionals that tax software vendors simply do not embed links into emails asking them to validate passwords.

Less helpful is the guidance in the release to “never open a link or an attachment from a suspicious email.”  Unfortunately, such advice arguably makes the problem worse and not better—the problem is that the email was construction specifically not to look suspicious, taking advantage of the fact that users think they are fine as long as the email they have received doesn’t appear “suspicious” to the user.

This advice is “standard boilerplate” language used by many security professionals that is attached to such notices.  Unfortunately, at this point the widespread knowledge of such a “rule to insure you are safe” (and despite the fact it doesn’t say that specifically, it’s how users will hear it) is being relied upon by scammers to make it more likely the victim will fall for their scheme.

So, to put it bluntly—the mere fact an email doesn’t look suspicious doesn’t mean it is not a scam.  None of us would advise clients that just because the person asking for money for a “can’t miss” investment doesn’t look suspicious doesn’t mean he/she is legitimate—and, in fact, we’d likely give the line that to be a con man you can’t look like a con man.  The same is true of emails—in today’s world, to be an effective scam email, the item can’t look like a scam email.

Honestly, users need to be trained that any email that asks you to “click a link” or give information must be treated as potentially a phishing attack.  Users should avoid clicking the link if possible (you can type addresses into your browser’s address bar directly) and, if not possible, confirm that the request is legitimate before clicking on the link. 

Similarly, any request for usernames, passwords or sensitive information that arises from following the link in an email has to be treated as highly suspicious.