There are plenty of things you can try when the fish aren’t biting. When changing bait doesn’t improve your odds, you might even decide to move upstream—even if the thought of leaving your favorite spot seems like heresy. The trick is to know when to be patient and when to make a change.
It turns out phishing scams are aptly named. The identity thieves relying on these tactics understand that social engineering requires practice and planning. Many of these criminals spend years honing their skills and watching for the right conditions to drop a line in the water. Unfortunately, the “right time” tends to be moments of crisis, which is why the Security Summit is emphasizing the risk of phishing email scams during its five-week Working Virtually: Protecting Tax Data at Home and at Work campaign.
The Security Summit knows that phishing emails are particularly dangerous, because they often bypass state-of-the-art data security programs by targeting one of the weakest links in an organization’s security chain: people.
How do phishing scams work?
The IRS says that phishing scams steal personally identifiable information by relying on a few basic principles:
- Impersonate familiar organizations and people
- Establish a sense of urgency
Tax professionals, in particular, are at risk of being targeted, because they handle sensitive financial information and frequently need to establish an online presence. That makes it even easier for identity thieves to set their sights on your tax office.
While some phishing scams masquerade as national brands, the IRS says that tax pros should expect to receive phishing emails claiming to be from the IRS, tax preparation software developers, and clients. To make sure you don’t ignore the email, identity thieves use subject lines like “suspicious login detected” or—as noted in the release—“account password expired.”
If your anxiety or curiosity made you open the email, scammers hope that you’ll click on any attachments or links, “which secretly [download] malware that tracks keystrokes and allows thieves to eventually steal all [of your] passwords.” Other attacks may play the long game.
“This year, IRS identified a highly sophisticated attack against tax firms where thieves gained remote access either through phishing or malware and were able to enter the cloud storage accounts that held client files,” the IRS explains. “In one case, thieves spent 18 months quietly downloading and accessing taxpayer information before they were discovered.”
Since identity thieves are craven parasites, they are more than happy to leverage crises to steal from you and your clients. This year has seen “scams focused on COVID-19 fears by presenting themselves as providers of face masks or personally protective equipment in short supply.” The absolute safest way to avoid these phishing emails is to directly visit an organization’s website, rather than clicking on email links.
Need more information about the latest identity theft scams? Bookmark IRS.gov/IdentityTheft, and subscribe to IRS alerts.