Phishing Scam Targets Tax Professionals

DOR logoThe Washington Department of Revenue (Revenue) is cautioning tax practitioners to be aware of an emerging phishing email scam that pretends to be from tax software providers and tries to trick recipients into clicking on a bogus link.

The email scam is the latest in a series of attempts to trick people into giving up sensitive information such as passwords, Social Security numbers and credit card numbers, or into making unnecessary payments.

In the newest scam, tax professionals are receiving emails pretending to be from tax software companies. The email asks recipients to download and install an important software update via a link included in the email.

Once recipients click on the embedded link, they are directed to a website prompting them to download a file that appears to be an update of their software package. The file has a naming convention that uses the actual name of their software, followed by an “.exe extension.”

Upon completion, tax professionals believe they have downloaded a software update when in fact they have loaded a program designed to track the tax professional’s key strokes, which is a common tactic used by cyber thieves to steal login information, passwords and other sensitive data.

Tax professionals are encouraged to be on the lookout for these scams and never to click on unexpected links in emails. Similar email schemes using tax software names have targeted individual taxpayers.

To protect their businesses from phishing schemes, tax preparers should take the following steps:

  • Be alert for phishing scams. Do not click on links or open attachments in e-mails, and always use a software provider’s main webpage for connecting to them.
  • Run a security “deep scan” to search for viruses and malware.
  • Strengthen passwords for both computer access and software access; make sure your password is a minimum of eight digits long (more is better) with a mix of numbers, letters and special characters.
  • Educate employees about the dangers of phishing scams in the form of emails, texts and calls;
  • Review any software that your employees use to remotely access your network or your IT support vendor uses to remotely troubleshoot technical problems and support your systems. Remote access software is a potential target for bad actors to gain entry and take control of a machine.

Tax professionals should review Publication 4557, “Safeguarding Taxpayer Data, A Guide for Your Business,” which provides a checklist to help safeguard taxpayer information and enhance office security.