Protecting your firm and clients against phishing scams

Alerts and notices
Leave feedback

Contact information (optional):

Leave this blank:

Please tell us how we can make this information more helpful.

Characters left:

In this topic

   What is "Phishing?"

   Examples of Phishing Attempts Directed at Tax Preparers

   How Can Your Firm Protect Sensitive Client Data?

   Helping Your Clients Protect Their Own Sensitive Data

   Help Catch the Culprits - Report Phishing Attempts

   Additional Information

Recent data from the IRS and other agencies that monitor cybercrime report increases in “phishing” scams. It's important to be aware of these scams and to be vigilant in protecting your firm and your clients. Here are some tips on how not to be a victim of this growing category of cybercrime.

What is "Phishing?"

According to the IRS definition, phishing is "a scam typically carried out through unsolicited email and/or websites that pose as legitimate sites and lure unsuspecting victims to provide personal and financial information."

Most often, potential victims receive an email that looks like it's from a legitimate organization—usually some sort of financial institution—but the link in the email goes to a fake website that replicates the organization's site. Sometimes you can tell right away the website isn't the real deal because of misspellings, bad grammar or a general unprofessional look. But as internet criminals become more sophisticated, it gets harder and harder to distinguish the fake websites from the real sites.

Phishers use email addresses they've collected from numerous sources (e.g., websites, social media profiles, etc.), and send large quantities of emails with common terms, logos and brands, knowing that most of those emails will go unanswered. But even if a few recipients fall prey to the scam, the phishers profit.

As an example, a phishing email that falsely appears to be from a bank could be sent to 30,000 people. If 5% of those people use that bank, and just 5% of them click the link, the phishers have gained full access to 75 bank accounts.

The receipt of a phishing email doesn't constitute or indicate any kind of data breach by itself. The breach occurs when the recipient clicks the link in the email and enters personal information on the bogus site. That's how the scammers get information—and they'll use it before the recipient even realizes what's happened.

Attackers can also take advantage of an email program's ability to execute HTML code, leaving the affected computer open to viruses, Trojans and worms.

Examples of Phishing Attempts Directed at Tax Preparers

Not surprisingly, tax preparers—with their access to sensitive financial and client data—are often targeted in phishing scams, as explored in this informative IRS article, Phishing Remains on the IRS “Dirty Dozen” List of Tax Scams for the 2016 Filing Season.

The IRS has announced several new phishing methods directed specifically at tax preparers and payroll departments, which attempt to obtain confidential data such as:

Many software companies, tax professionals and state revenue departments have also seen variations of these schemes.

To help prevent hacking in your firm, see IRS Publication 4557: Safeguarding Taxpayer Data for more information, and work with your trusted information technology staff or provider for more detailed plans.

July 2017: Email requesting that you validate your login credentials

An email is circulating that requests a “validation” of your login credentials to add new security measures.

This email message is designed to look like a legitimate email that was sent by your software vendor, and it refers to security updates that we implemented over the last year. This is another example of bad actors using social engineering tactics to trick staff into clicking fraudulent links and provide login credentials, which gives the bad actors access to sensitive client and firm data.

If you receive an email like this, do not click the link. Any practitioners who have already clicked the link should immediately initiate their incident response plans, including having all staff within the firm update their passwords for their tax and accounting software.

Here’s an example of the bogus email.

Example of phishing email message

January 2017: Email claiming that clients have uploaded tax organizer files to their portals

This scam involves an email that's disguised as an alert from the tax professional’s client. Specifically, the email — which may appear as if it originated from your software vendor and uses copies of the vendor’s official logos — claims that the client has uploaded tax organizer files to their portal.

If staff click the OPEN link in the email, they’re taken to a website mimicking a login screen from the vendor. By using that social engineering, the bad actors can capture any login and password information the staff member provides.

If you receive an email like this, and are unsure if it’s really from a client, don’t click the link in the email, but rather use your normal method to navigate to the appropriate page. (Of course, that’s only one course of action to helping prevent hacking in your firm; see IRS Publication 4557: Safeguarding Taxpayer Data for more information, and work with your trusted information technology staff or provider for more detailed plans.)

Any practitioners who may have already opened such an email, downloaded a file, or clicked such a link and typed in their credentials, should immediately enact their incident response plan, which should include immediately changing your login credentials.

Here is an example of a bogus email.

Example email

August 2016: Email instructing tax preparers to download software updates

In August 2016, we learned of a phishing scheme that targets tax preparers with emails that appear to be from a tax software company and instruct preparers to download updates to tax software. The email messages may appear to have been sent by Thomson Reuters or another tax software vendor. (View the IRS notice: IR-2016-103, New Phishing Scheme Mimics Software Providers; Targets Tax Professionals.)

The fraudulent email message prompts the recipient to click a link to download the update. The link opens a web page that then prompts the recipient to download a file. If you download the file, malicious software will harvest sensitive system files, send them to a number of hacker-controlled web locations, and install a key logging program that runs silently in the background of impacted computers. Key logging programs can capture usernames and passwords and provide criminals with further access to additional sensitive firm and client data.

This is an example of a legitimate software update email message from Thomson Reuters.

Example of UltraTax CS software update email message

Notice that we explain how to download and apply the updates through the software itself. Thomson Reuters will never ask you to click a link to retrieve a software update.

March 2016: Email claiming that clients have shared their tax organizers

Another scam that's making the rounds involves bogus tax organizer emails. As shown below, the tax preparer receives an email that appears to contain an organizer with a client's name—easy enough for scammers to generate, since many practitioners and tax preparation software programs use the generic term "organizer" to refer to the collection of information needed to prepare a tax return.

Here's an example of a bogus tax organizer email.

Anyone who clicks on the link and provides information has unknowingly shared confidential or sensitive data with the scammer—and has left their computer system vulnerable to attack.

This is an example of a legitimate tax organizer email from Thomson Reuters.

You'll notice we don't ask you to click a link; we direct you to go through the tax program to download the data you need. You should never have to click a link in an email to access tax organizer data.

Remember, these phishing attempts are likely being sent to thousands of email addresses, hoping to reach a few people who use organizer technology—this is not as a result of any breach of data with Thomson Reuters.

How Can Your Firm Protect Sensitive Client Data?

Although phishing isn’t specifically called out in IRS Publication 4557: Safeguarding Taxpayer Data, this publication does include some high-level advice that will help fight all types of data theft, including phishing.

One particularly helpful piece of advice: Write a plan detailing how you'll safeguard taxpayer information—and then put the appropriate safeguards into place.

Could you use some help to assess exactly what you need? Publication 4557 includes checklists to help you “grade” your current situation and guide you to a solution that fits your circumstances.

Since employees can often become innocent victims of a phisher, you should also make your staff aware of the dangers of phishing scams. When they're overwhelmed with work during busy season, it's all too easy to quickly click a link—and regret it later.

In addition to writing a plan and putting together safeguards, make it a priority to train your staff on how to spot phishing scams. And don't forget to reinforce that training on a regular basis. Keeping your staff informed and well-trained will help alleviate the potential for problems in your firm.

Helping Your Clients Protect Their Own Sensitive Data

It's just as important to pass this awareness and knowledge on to your clients, so they don't unwittingly fall prey to a phishing scam. Here are several crucial tips you can impart to your clients, from IRS Publication 4524, Security Awareness for Taxpayers.

Another way to help your clients safeguard their information is to use secure online portal technology. By offering an easy-to-locate login on your website, you can train clients to ignore any suspicious emails they receive and directly log into their portal from your website—thereby ensuring they don't click malicious links.

Help Catch the Culprits—Report Phishing Attempts

When a taxpayer receives an unsolicited email that appears to be from either the IRS or an organization closely linked to the IRS, you can help in the investigation by forwarding the email directly to Learn more by visiting the IRS Report Phishing and Online Scams page.

Additional Information

For more information, see the following resources.

Share This