It's unbelievable, but the new tax season is around the corner and the bad guys are already at it. This is a two-phase phishing scam of the week you need to watch out for:
PHASE 1: Cybercriminals are sending emails, posing as potential clients, and interested in services from tax professionals. Something with the innocent subject "I need a preparer to file my taxes."
The tax preparer responds, and the bad guys send a second email with a malicious attachment claiming to contain the client tax information. The tax preparer falls for this social engineering attack and opens the attachment (likely enables macros) and that compromises the machine and now the bad guys own the tax preparer's computer.
PHASE 2: The bad guys now use the tax pro's computer to send out legit looking emails to all the tax pro' clients and get their financial records sent over to their own email address, so they can quickly file a fake tax return and pocket the money, using the illegally obtained information.
Tax refund identity theft is a growing epidemic. The hassle is enormous, because when you file your own return, the IRS sends you a notice stating that “More than one tax return for you was filed”. That's when the nightmare starts, because on average it takes the IRS a long, long time to resolve tax-related theft cases.
I suggest you send the following to your employees, friends and family. Feel free to copy/paste/edit:
ALERT: Tax season scams are starting early this year and the bad guys are getting smarter by the month. The current scam works in two steps so watch out for possibly bogus emails for your tax information.
STEP 1: Cybercriminals are sending emails, posing as potential clients, and interested in services from tax professionals. The tax preparer responds, and the bad guys send a second email with a malicious attachment. The tax preparer falls for this social engineering attack and that compromises the machine and now the bad guys "own" the tax preparer's computer.
STEP 2: The bad guys now use the tax pro's computer to send out legit looking emails to all the tax pro' clients and get their financial records sent over to their own email address, so they can quickly file a fake tax return and pocket the money, using the illegally obtained information.
So, when you get any email about your taxes, or your W2 from literally anybody, whether you know them or not, pick up the phone and verify with your known, trusted tax preparer that they actually sent you that email. If you send tax information via email, triple-check that the email address you are sending this to is correct and type it in
yourself in the "To" field.
NEVER click on "reply" and attach your tax information, because that reply email address might be spoofed. Want to be 100% safe? Hand-carry your tax info to your preparer and do the tax return in person with them.
Here is a link to the IRS site, with more tax scams you need to watch out for:
https://www.irs.gov/uac/tax-scams-consumer-alerts
Here is a link what to do to get your money back if your tax refund already *has* been stolen:
http://time.com/money/3709141/stolen-tax-refund/
Let's stay safe out there.
Think Before You Click!