The Internal Revenue Service, along with state tax agencies and the tax preparation industry, have issued a new alert cautioning tax professionals about a new tax season scam in which phishing emails purport to come from tax software providers.
The scam email has the alarming subject line: “Access Locked.” The message informs practitioners that access to their tax preparation software accounts has been “suspended due to errors in your security details.” The phishing email requests the tax professional to address the issue by using an “unlock” link provided in the missive.
However, the link will take the unwitting tax preparer to a fraudulent web page purporting to be the software provider’s site, where they are asked to enter their user name and password. Instead of unlocking their accounts, though, tax preparers unwittingly give away their credentials to cybercriminals who use it to access the preparers’ accounts and steal client information.
Tax professionals who receive these types of suspicious emails from tax software providers suggesting their accounts have been suspended should send them to their tax software provider, the IRS recommended Friday. For Windows users, use the following procedure to help the IRS investigate the phishing emails:
1. Use “Save As” to save the scam. Under “save as type” in the drop down menu, select “plain text” and save to your desk top. Do not click on any links.
2. Open a new email and attach this saved email as a file.
When sending the email containing the attachment to the tax software provider, also send a copy to Phishing@IRS.gov.
The IRS, state tax agencies and the tax professional community have formed a Security Summit partnership to combat identity theft and tax fraud. They reminded tax professionals and taxpayers Friday to never open a link or an attachment from a suspicious email. These scams can increase during tax season.
Tax professionals can see more advice about protecting clients and themselves at the Security Summit’s Protect Your Clients, Protect Yourself page on IRS.gov.
States Fight Back
States are taking steps to combat identity theft tax scams. “Many states over the past five years and the IRS have experienced an explosion in identity theft due to no one’s fault other than corporations having attackers who come into the system and steal personal information out of their systems,” said Julie Magee, commissioner of the Department of Revenue in Alabama. “It’s no secret that every day somebody else has been hacked and that information is then sold on the Dark Web. One of the ways it’s used is to file tax returns both on the federal level and the state level.”
Her department has developed its own technology for combating identity theft and used third-party systems such as LexisNexis Tax Refund Solutions. “The LexisNexis solution is just one of the things we do, but it has been a very valuable tool,” said Magee. “What we do is we send nightly batches through an encrypted process, not the tax return information, but some information off the tax return that we receive, and we ask LexisNexis to run it through their database. They compare variables off the tax return to give us a score that they’re either confident this is the legitimate taxpayer who filed the tax return, or they’re not so sure if there’s not enough information there. Say it’s a new taxpayer, like somebody who just graduated from college, for example, and doesn’t have a big credit history or a history with utility bills or credit cards. Those kinds of people will get a score that’s not as confident. There’s just not enough out there about them. Then they’ll say this definitely doesn’t match. The information on this return is not where the person lives. We know that person is not employed there. There are tons of different variables that they’ll use to compare and contrast.”
She estimates the state of Alabama has saved millions of dollars in tax refunds that were held back from criminals claiming the money, thanks to the system. However, Magee said she would like to see more regulation of the tax preparation industry.
“The biggest problem nobody is talking about is there is no regulation,” said Magee. “Anyone can file a tax return, so you don’t have to be educated, you don’t have to pass any sort of test, and the software is out on the internet. Even for the companies that sell software services that allow you to file a tax return, there’s no regulation for them, none. What they allowed to happen over the years is the proliferation of stolen data, and then the criminals said, ‘I have all this data. How am I going to use it?’ Well, a real soft easy target was tax returns.”
Kentucky is another state that has been taking steps to deter identity theft and tax fraud.
“For a number of years, we’ve actually had a lot of internal efforts which would look at data sources that we had available to us internally to try to identify the tax returns which were being filed that had the potential of being fraudulent,” said Mack Gillim, executive director of the Office of Processing and Enforcement at the Kentucky Department of Revenue. “Of course, we look at filing history and other things that are pretty obvious. I can’t get into the detail of what we do, but it’s basically a lot of internal matching and so forth, things like how many tax returns were being filed by a given individual or address or things like that. Those were our internal efforts.”
More recently Kentucky has been using advanced analytics on the data that it receives. “In other words we’re trying to look at unusual patterns and so forth to see whether we could identify fraud,” said Gillim. “We look at the sources of tax filings and that type of thing to see whether or not something extraordinary is happening there, how frequently the tax returns are being filed. It’s analytics basically. That’s being done pretty much nationwide now by some states, and the IRS for that matter, but we were a little ahead of the game on that, I think. The third thing we’re doing is trying to use a third-party vendor to try to identify situations where there’s a high likelihood of identity theft. Basically that’s using public records to identify situations where maybe a Social Security number is being used by multiple individuals.”
The combination of approaches has helped deter identity theft. “We’ve been very successful in stopping refunds from going out,” said Gillim. “Last year, for example, we stopped about $17 million worth of fraudulent refunds. We think that we catch the great majority of it, but you don’t know what you don’t know. The bottom line is there probably are situations where the fraudsters are figuring out a way to beat us or the IRS or whatever out of money, but we’ve got a pretty comprehensive process within the state of Kentucky. In addition to that, we in the states, the Federation of Tax Administrators and the IRS, have all been working with software vendors to strengthen their controls.”
They are doing more multifactor authentication to verify taxpayer identities, in some cases using information such as driver's license data. “You can use all those with the third-party vendor as well as our internal efforts to try to sift through the information and see whether we can actually find those returns which are fraudulent,” said Gillim.