Watch out for “new client” email scam

Tax professionals should watch out for a “new client” scam—an email scheme where cybercriminals pose as potential clients. This scam peaks during the busy tax filing season.

How the new client scam works

The scammer emails a tax professional to ask for help with their taxes. This phishing email has a malicious link or attachment that the scammer claims is their tax information. When the tax professional clicks the link or opens the attachment, the scammer gets access to the preparer’s email address, password, and possibly other information. Some scammers may also load malware onto the tax pro’s computer to gain access to their system—and their clients’ data. Scammers may also use the tax professional’s hacked email account to target clients.

Where to report phishing emails and other scams

People should report unsolicited email that claims to be from the IRS to phishing@irs.gov. For those experiencing any money loss due to an IRS-related scam incident, report it to:

• The Treasury Inspector General for Tax Administration
• Federal Trade Commission
• The Internet Crime Complaint Center

People can also forward the email to their internet service provider’s abuse department.

Data breaches: What to do if a tax professional is victimized

If reported quickly, the IRS can block fraudulent returns in clients’ names and take other steps to protect the tax professional and their clients.

For tax professionals who are victims, the IRS recommends immediately reporting data theft to the local IRS Stakeholder Liaison representative. Liaisons notify IRS Criminal Investigation and others within the agency on the tax professional’s behalf.

Tax professionals should also report fraud incidents to the local offices of the FBI and Secret Service and to their local police.

To report data breaches to the state in which they prepare state returns, tax professionals can contact these organizations:

• Federation of Tax Administrators: Tax professionals can use this special “report a data breach” web page to get state guidance on reporting scam victims.
• State attorneys general: Most states require that the state attorney general receive notification of data breaches.

Create a written information security plan

A key component to responding to a data breach is to have an effective action plan and know who to contact. Under FCC rules, tax professionals must have a Written Information Security Plan. As part of the Security Summit effort, the group’s tax professional team developed a special document that allows practitioners to quickly develop one.