Scammers who target tax professionals typically have the same goal: gain access to your information so that they can access client information, file fraudulent returns, and steal refunds. While the end goal may be the same, scammers have many methods, and tax preparers should be on guard against the most common. While you may feel confident spotting phony emails from scammers posing as the IRS or your tax software company, emails from fake potential clients can be tougher to spot. But don’t worry; with a little training and a few safeguards, you can protect yourself and your business from fraudulent tax clients. Here’s what to watch for and do if you think you’ve been targeted by a scammer posing as a client.
Signs that a Potential Client is Really a Scammer
Most scammers posing as clients will target you through email, using phishing or spear phishing tactics. In the case of spear phishing, scammers can be very convincing as they may look up information about you and your area in an attempt to appear genuine. They may even carry on an email conversation for several days and exchange multiple emails to build a sense of authenticity and trust. But no matter how convincing they are, you can be vigilant against their schemes by watching out for these red flags:
They send suspicious links or attachments
Phishing and spear phishing campaigns almost always entice you to click a link or download an attachment. These links and attachments will usually install malware or ransomware on your computer or direct you to fake websites that require you to enter usernames and passwords for various sensitive accounts.
Always hover over the hypertext of links in emails to see where the link will direct you before you click. If the URL looks suspicious, don’t click on it. Practice caution with email attachments, and never download attachments from someone you don’t know.
They create a sense of urgency
Scammers that pose as your tax software or as the IRS often use subject lines like “Urgent: Your Account Will Be Deleted Soon.” Scammers posing as clients may use similar tactics, urging you to help them meet the filing deadline or posing as an upset client who wants an error corrected quickly.
They act like you’ve spoken before but you don’t remember them
Scammers know that tax preparers are busy during tax season. Some may send emails that sound as though you have been working together already, hoping that you’ll assume they are an existing client and that you’ve simply forgotten the details of your earlier conversations. For example, they may apologize for the delay in getting their tax documents to you, thank you for working with them, and attach a file with their “documents.”
They refuse to use secure methods of sharing documents
If you’re like most tax professionals, you prefer to use secure software – such as TaxesToGo – for sharing clients’ sensitive documents online rather than email attachments. Most genuine clients will be perfectly willing to use these methods or to meet in person if they aren’t. But since phishing campaigns are only successful if you click the link or download the attachment in the email, these scammers may insist that they can’t send their documents any other way and that you must use the attachments or links sent in their emails.
A former client suddenly “sounds” different or has a different email address
Spear phishers sometimes pose as people you already know. Since you often only see the first and last name of the contact in your inbox, spear phishers can sometimes get away with using a different email address to pose as your trusted contact. Hovering your mouse over the contact name will allow you to see the full email address. If it’s different than usual, get in touch with that person by phone to verify whether they are sending the emails. Similarly, if you notice a sudden change in the tone or format of their emails, you may be dealing with a scammer posing as your client. Reach out to your client directly, and wait to click on any links or attachments until you’ve confirmed who is sending the emails.
What you can do
So how can you protect yourself from spear phishers? It may be tricky as some of these scammers are so sophisticated that their emails are nearly indistinguishable from genuine emails from potential clients. Here are a few ways you can be on guard against spear phishing
Check email addresses and links
As we mentioned above, it’s always a good practice to hover your mouse over the hypertext of links before you click on them. Read the URL closely to make sure it really leads where it says it does. Similarly, check the full email address anytime an interaction seems suspicious. Scammers often use emails that are similar to those of your trusted contacts.
Install security software on all of your computers and consider cyber insurance
Security software can help scan email attachments for malware, detect viruses in emails, and spot common phishing sites. If the worst happens and a scammer successfully installs malware or gets access to your information, cyber insurance can help you resolve the breach and protect your clients as quickly as possible.
Use secure software instead of links and attachments whenever possible.
One of the best ways to avoid becoming a victim of spear phishing is to minimize the number of links and attachments you click on or open. The IRS recommends that you “Never open or download attachments from unknown senders, including potential clients; make contact first by phone, for example.” Using secure software like the TaxesToGo mobile app eliminates the need for you and your clients to send email attachments, protecting both of you. Instead, clients can scan their documents and upload them directly into the TaxesToGo app, where they are protected by state-of-the-art encryption.
Read IRS Publication 4557 and create a data security plan
On pages 9 and 10 of Publication 4557, Safeguarding Taxpayer Data, A Guide for Your Business, the IRS offers tips for recognizing and guarding against phishing attempts as well as other invaluable information for protecting your tax business from data theft. Use this resource and our Step by Step Guide to create a custom data security plan for your tax business.