With tax season in full swing, the IRS is arriving to disrupt the efforts of MSPs to protect each of their client’s data.
Not the actual IRS. Hopefully, your MSP’s books are in order (if not, well, that’s another conversation). No, MSPs must battle bad actors who are using the IRS as a tool to gain access to your client’s network.What makes these phishing scams so effective for the scammers is that no law-abiding citizen wants to run afoul of the IRS. A diligent company employee may find themselves hard-pressed to ignore an official-looking email from the IRS.
The real IRS warns of these potential hacks
In a release earlier this month, the IRS acknowledged these problems:
“The IRS warns taxpayers, businesses, and tax professionals to be alert for a continuing surge of fake emails, text messages, websites, and social media attempts to steal personal information. These attacks tend to increase during tax season and remain a significant danger of identity theft.”
In addition to individuals being targeted, scammers are also aiming for the business financial ecosystem of accounts payable and human resource offices. From the recent IRS release:
“The IRS has also seen more advanced phishing schemes targeting the personal or financial information available in the files of tax professionals, payroll professionals, human resources personnel, schools, and organizations such as Form W-2 information. These targeted scams are known as business email compromise (BEC) or business email spoofing (BES) scams.”
One of the variables that are making IRS scams so effective for the bad guys is the recent changes to the tax code.
“We have such big changes in the tax law, so this is kind of an anomaly year, which could raise the risk of being tricked by malicious actors,” details Janine Spears, an associate professor of information systems at Cleveland State University. People have more questions this year and might be more inclined to open an email purporting to be from the IRS than they typically wouldn’t.
The human side of IRS scams
Spears suggests MSPs set up decoy drills, perhaps sending harmless IRS-disguised emails to see which employees open them.
“A lot of companies use tools to send very realistic emails to employees, some of which are very realistic ,” describes Spears. With some of the emails, it can be very challenging to guess their actual source. The goal isn’t to shame or discipline an employee, but to educate.
“They issue a simulated attack periodically, with the goal being to bring down the percentage of successful clicks. An MSP could potentially do this during tax season by customizing some emails to look like they’re from the IRS,” Spears says.
This type of problem is not just limited to the United States. Emails disguised as ones from the Australian Taxation Office or Revenue Canada are preying upon people in their respective countries in advance of their tax deadlines.
This #IRS impersonation scams are not just causing headaches for MSPs and their customers in the U.S. Emails disguised as ones from the Australian Taxation Office or Revenue Canada are also appearing in advance of tax deadlines #CyberSecurity @SmarterMSP
“The other aspect of phishing is that it’s international in scope. Canadians are being phished from India, for example. The only way I can think of for Canadians to protect themselves is to educate themselves. For starters, the Canada Revenue Agency (counterpart of the IRS) does not contact individuals in the same manner that the phishers do,” advises Mahesh V. Tripunitara, an Associate Professor with the Department of Electrical and Computer Engineering at the University of Waterloo, tells Smarter MSP.
How can MSPs eliminate this threat
Spears recommends MSPs create a poster – yes, a poster – and stick it in the breakroom, bathroom, above the water cooler, and everywhere else. This poster should have a message about not falling for fake emails from the IRS.
Employees are so often bombarded with electronic communication that an email alert about IRS phishing attempts could get lost in the clutter. An old-fashioned poster won’t.
“Employees will see a poster repeatedly, and the message will get through,” Spears says. Of course, a low-tech poster needs to be paired with the best anti-phishing training and software.
Information to emphasize includes never to give out one’s IRS IP PIN, which hackers are going to great lengths to get this year. In addition to trying to educate employees, MSPs who manage the networks of accounting offices need to make sure CPAs, and tax preparers are following best practices.
In addition to trying to educate employees, #MSPs who manage the networks of accounting offices need to make sure CPAs, and tax preparers are following best practices. #CyberSecurity
“A concern of mine is the electronic transmission of sensitive information to one’s accountant and vice versa,” Barry Ball, vice-president of the Chartered Professional Accountants of Canada, tells SmarterMSP.
“Many advisors are moving to use secure client portals to exchange information rather than using email that has more significant risks,” Ball says.
“A practitioner should discuss how electronic information will be conveyed as part of an engagement letter,” advises Ball.
Lastly, don’t let your guard down when April 15th passes. While IRS-related phishing scams peak this time of year, they don’t disappear. Don’t let down your guard just because Uncle Sam’s deadline has passed.
Photo: Steve Heap / Shutterstock.