The IRS is warning taxpayers and tax professionals of a phishing email scam that targets Hotmail users in attempts to steal their personal and financial information.
The bogus email subject line reads “Internal Revenue Service Email No. XXXX | We’re processing your request soon | TXXXXXX-XXXXXXXX”. The email then prompts taxpayers to sign in to a fake Microsoft page and then asks for personal and financial information.
The IRS has received more than 900 complaints about the scam that apparently only targets Hotmail users. The suspicious websites linked to the scam have been shut down, but taxpayers should be aware of the possibility of similar schemes.
Taxpayers who get a bogus email should forward it to [email protected] (a Windows Live Mail link) and then delete it. They also should be aware that the IRS typically doesn’t contact taxpayers by email to request personal or financial information. For more information, visit the “Tax Scams and Consumer Alerts” page on IRS.gov.
Tax professionals also should be aware of phishing emails, free offers and other common tricks by crooks. Professionals who do have data breaches should contact the IRS through their Stakeholder Liaison.
According to the IRS publication, “Data Theft Information for Tax Professionals”, tax professionals should review their security methods.
Tax professionals can find more information to protect client data in the IRS publication “Safeguarding Taxpayer Data”. Because tax professionals hold large amounts of client data, cybercrooks often target them, the IRS states.
Here are few tips for tax professionals to avoid or report data breaches:
- Use security software on all computers and devices.
- Routinely perform deep scans to detect malware or other viruses.
- Report data breaches to the IRS, the local office of the FBI and possibly the Secret Service.
- File a report with the local police.
- Email the Federation of Tax Administrators at [email protected] to find out how to report victim information to the states.
- Breaches should be reported to the state attorney general in each state where the professional prepares returns. Most states require that the attorney general be notified of data breaches, and that process may involve several offices, the IRS states.
- Consult a security expert.
- Professionals should report the breach to their insurance company and find out if their policy covers data breach mitigation expenses.
Tax professionals also should notify clients of the breach but work with law enforcement on the timing of the notices, the IRS states. Clients should fill out IRS form 14039, “Identity Theft Affidavit,” only if the IRS contacts or writes them or their e-filed tax return is rejected because of a duplicate Social Security number.
About Terry Sheridan
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.