Protect Your Clients, Protect Yourself!
Tax professionals are increasingly targeted by cybercriminals because of the sensitive financial information they obtain from their clients. If they fall victim to a data breach and that information is compromised, social security numbers and bank account records will most definitely fall into the hands of thieves. Unwinding the damage can be time consuming and expensive. Today, we will shed light on how IRS tax refund scams that target both individuals and CPA firms are carried out; as well as, a few suggestions on how to avoid them.
The “Updated” Banking Information
Consider this scenario. As a tax preparer at a local CPA firm, you exchange several emails with your client to discuss and prepare their tax return. You ask him/her to review the information and ensure that everything is correct. During those back and forth communications, you receive an email (supposedly from your client) informing you that the bank account information needs to be updated before the documents are filed. Unfortunately, that email was from an opportune criminal. Not long afterwards, you discover that your client never received their tax return. Chaos ensues. Fingers are pointed. Lawsuits are filed. Reputations are damaged. This type of tax refund scam is growing in scope and plaguing many CPA firms.
If you are a CPA firm, here are some things to keep in mind:
- Client information should never be sent via email. OK, your email might be secure, but you don’t know whether your client’s email has been compromised or not. Best practices dictate using a client portal where documents can be reviewed and submitted securely. In addition, the right system will also allow you to create automated workflows that help to streamline your business processes.
- Always confirm the true email address of any email sent to you. It is common for attackers to “spoof” an email address that appears very similar to your client’s. By hovering over the email “From” address, the actual email address of the sender will be visible on your computer screen.
- It is important to note that with this type of attack in particular, either your email or the client’s has already been compromised. This should be investigated immediately by your IT/cybersecurity team.
- Finally, businesses should always use a reputable email provider with two-factor-authentication (2FA). Also, the email client you use to read emails, the antivirus and anti-malware software on your computer, and the firewall on your network are all important things to evaluate when mitigating risk.
IRS impersonation isn’t something new. However, people still fall victim to it year after year. First, let’s highlight a few key facts. The IRS will never ask for payment information over the phone and demand you pay in a certain way. In addition, they will also give you time to review what you might owe. And, you most certainly will not be arrested or have the police come knocking at your door if you don’t pay immediately. When a stranger calls claiming to be the IRS, don’t believe them. The IRS will not reach out to you in this manner, and it is important that you not disclose any personal information over the phone. Any information, no matter how big or small, can be used to profile you by the attacker. Keep ALL your information safe. Yes, this even means your dog’s name. Here is a link to the IRS’s website for its official stance on communication and how to report scams.
The “Ghost” tax preparer:
The IRS is warning Americans about the growing threat of “ghost” tax preparers. These individuals scam their clients by using fraudulent tax preparation tactics. This may be the most offensive tax refund scam of all, because the “ghost” is paid to prepare your taxes. However, they never sign or identify themselves, either on paper or electronically. They offer to do the work, even print it out for you, but then have you sign the forms… as though you’ve done all the work yourself. These tactics keep them off the books and under the radar.
What’s the end result? They commit fraud in your name. Inaccurate information is submitted. And there’s always the possibility that your funds were redirected into their account. Never trust someone that you have not fully vetted, or anyone who will not be accountable for their work. Even if they are highly recommended by a family member, friend or colleague.
Get Help Now!
We bring a laser focus to the three most critical functions of your company.
1. Business Operations
SUURV would love to talk with you about our vCIO and TAM support. It's the solution you've been searching for.
2. IT Infrastructure
THERE'S NEVER a one-size-fits-all approach. We implement custom solutions that scale with your growth.
3. Employee Support
You spent a lot of time building your team. We work around the clock to support them.