The discovery of a new IRS e-Services scam has prompted the Internal Revenue Service to kick off its Security Awareness Tax Tips with a phishing warning.
New IRS e-Services Scam Reported
IRS tax scams are nothing new. In fact the IRS regularly issues warnings about new phone and email scams. Criminals frequently devise new scams to get U.S. consumers to reveal personal information. However, the latest IRS e-Services scam targets tax practitioners and attempts to get users to reveal their IRS e-Services login credentials.
As is the case with most phishing campaigns, a highly realistic email is sent requesting action to be taken to address a matter that requires a user’s urgent attention. Many IRS phishing scams warn of immediate suspension of an account; although the latest IRS e-Services scam says this has already happened. In order to lift the suspension on the account, the user must click on the link contained in the email and update their Electronic Filing Identification Numbers (EFINs).
The email warns “Our account surveillance have detected some suspicious activities over your account and to maintain the security we have temporarily disabled some functions on your account.”
Users are provided with a link which they must click on in order to reactivate all functions on their account. After clicking the link, users are asked to verify their identity by entering in their username and password.
The link contained in the email may appear genuine, but it will direct the user to a phishing website that will capture the username and password as they are entered.
Gaining access to IRS e-Services is potentially very lucrative for criminals. The service allows tax professionals to conduct a number of services online on behalf of their clients. Access to one of these accounts can potentially allow the scammers to gain access to a wealth of data that can be used to commit identity theft and tax fraud. Should access to the account be gained, criminals would be able to obtain details of past tax returns and other client account details.
The email appears to have been sent from a genuine IRS email address. The new IRS e-Services scam shows that sender email addresses cannot be trusted as a way of checking the genuineness of emails.
Tax professionals have been warned not to click on the link contained in the phishing email and to delete it. The IRS has told users that it does not initiate conversations with individuals via email, social media channels, or text message. The IRS will also not request that users reveal their passwords.
The IRS will soon be launching its new “Taxes. Security. Together” initiative ahead of the 2016 tax season. The campaign is aimed at improving awareness of phishing scams and other methods used by criminals to get unsuspecting users to reveal their tax information.