Don’t Take the Bait – Spear Phishing Schemes

The IRS recently kicked off a 10-week series on security updates for tax professionals called “Don’t Take the Bait”. The first post in the series, published on July 11, addresses spear phishing emails and how to avoid falling for their scam.

Tax professionals are often the targets of spear phishing schemes. The goal of cybercriminals who use this tactic is to acquire taxpayer data and then use it to file fraudulent tax returns in the names of individual and business clients. Spear phishing emails are made to appear as though they come from a trusted source and seek to con targets into voluntarily disclosing sensitive information or opening a link or attachment that downloads malware onto their computer.

The article identifies and analyzes common spear phishing tactics, detailing warning signs of which to be aware, including:

  • A subject line that catches the target’s eye, baiting him or her
  • Conversational but ungrammatical and oddly constructed body text
  • Embedded hyperlinks that use a “tiny” URL in order to mask the true destination
  • Attachments included in emails from prospective “clients”
  • Inclusion of a “call to action” that encourages the receiver to open an link or attachment
  • An urgent warning from the IRS threatening a consequence of some sort if account information is not updated immediately

The IRS recommends eight defensive steps for tax professionals to consider implementing in order to protect their clients and business from spear phishing:

  1. Educate all employees about the various scams that exist.
  2. Develop strong, unique passwords for each account.
  3. Exercise caution even when emails originate from a familiar source.
  4. Always check email link destinations by hovering your cursor over the link before following it.
  5. If possible, double-check verbally with the sender of an email containing links or attachments to verify security before opening them.
  6. Employ security software and enable automatic updates.
  7. Use the security options included in your tax preparation software.
  8. Report suspicious tax-related phishing emails to the IRS, at phishing@irs.gov.

For more details, read the article in full at irs.gov.