The IRS and its Security Summit partners will kick off another cybersecurity awareness effort this week aimed at tax professionals, with the focus this time on spear phishing email scams in which cyberthieves identify themselves as a friend, customer, or company.
Dubbed “Don’t Take the Bait,” the 10-week campaign begins on July 11 and will cover spear phishing emails, business identity theft, account takeovers, ransomware attacks, remote takeovers, business email compromises, and Electronic Filing Identification Number thefts.
The launch coincides with the first IRS Nationwide Tax Forum in Orlando, FL. It concludes on Sept. 12 with the final forum in San Diego.
This latest effort is part of the “Protect Your Clients; Protect Yourself” education series for tax professionals that was launched last year by the Security Summit, a partnership between the IRS, state tax agencies, and the tax industry to combat tax-related identity theft and refund fraud.
“We continue to see new and evolving threats involving data breaches, intrusions, and various takeovers that put people’s personal information at risk,” IRS Commissioner John Koskinen said in a prepared statement. “These efforts are increasingly targeting tax professionals and businesses with tax information. Too many still overlook basic security steps needed to protect their data. As part of this, we urge the tax professional community: Beware your inbox. Don’t take the bait from these phishing scams.”
The “Don’t Take the Bait” campaign also will offer advice recommended by the IRS, the FBI, and the National Institute for Standards and Technology, which sets cybersecurity frameworks followed by the IRS and other regulatory agencies.
In addition, the new campaign follows a recent recommendation to the IRS by the Electronic Tax Administration Advisory Committee to raise awareness about security among tax professionals.
According to the IRS, the key goal of phishing is for cyberthieves to monetize their stolen information. But because the IRS, state agencies, and the tax industry have made gains against tax-related identity theft, crooks now need more information to improve their impersonation of taxpayers, the IRS states. In turn, tax professionals with access to such information are critical targets.
Because information on tax returns allows the crooks to better impersonate taxpayers, it’s become tougher for the IRS and states to identify bogus tax returns. That makes it imperative for tax professionals who notice a data breach to notify the IRS and states immediately to help prevent the filing of fraudulent returns.
So, how bad is it? From January through May, there were 177 tax professionals or firms that reported data thefts of client information involving thousands of people, according to the IRS. The agency currently is receiving three to five data theft reports a week from tax practitioners.
“We’ve been warning tax professionals that they are increasingly the targets of national and international cybercriminal rings. These syndicates are well-funded, knowledgeable, and creative. It’s going to take all of us working together to combat these identity thieves,” Koskinen said. “But doing nothing or making a minimal effort is no longer an option. Anyone who handles taxpayer information has a legal responsibility to protect it.”
The Anti-Phishing Work Group (APWG), a not-for-profit industry association focused on eliminating the identity theft and fraud that phishing creates, reported 1.2 million phishing attacks in 2016 – a 65 percent increase over 2015. Also, the APWG now sees 92,564 phishing attacks monthly – a 5,753 percent rise over the last 12 years – and each attack may involve millions of emails.
But that’s not all. Phishing.org reports more than 100 billion spam emails are sent daily, and more than 85 percent of organizations have encountered phishing efforts. Phishing damages cost more than $1 billion.
Verizon, which publishes an annual data breach investigations report, indicates in its 2017 study that 95 percent of successful phishing attacks include a malware installation that allows cybercriminals to export data or take control of the computer systems. Most attacks (81 percent) use stolen passwords or gain access through weak passwords.