 Internal Revenue Service IRS Tax News Security Summit warns tax pros of evolving email and cloud-based schemes to steal taxpayer data. The Security Summit, like the new Justice League, save in the world. They also recently put a sign next to the pool, warning us, water's wet. And one by the toilet, letting us know that if you drop anything in there, you may forever lose that crap. So be careful out there. But first, an attempt at a joke. Am I the only one noticing a fairly large spike in women becoming men these days? So I've noticed. And it seems to be a disproportionately greater percent amongst famous people. Uh, I'm famous. And younger people, who are probably just following the famous people. I learned it by watching you! Might there be some kind of social benefit prompting this phenomenon? Can she see it? Yeah, she's trying to eat it. She wants it. She wants the carrot. She wants the carrot. Or is it really solely biological? I was born this way. Hooray. It seems a little unusual, doesn't it? All these women suddenly becoming men? Dude, it's very unusual. Well, Jimmy's very unusual. I mean, it just seems, oh, I don't know, ridiculous. Is this true? Yes, it's true. This man has no dick. Don't you think? All right, all right, all right. Well, that's what I heard. This city hall. Just a little bit. Well, you can believe, Mr. Pecker, my name is Peck. Ridiculous. Or you could accept the fact that this city is headed for a disaster of biblical proportion. But whatever. IR2022-143, July 26, 2022, Washington. As part of a special security summit series, the Internal Revenue Service State Tax Agency and Nations Tax Industry warned tax professionals to be aware of evolving scams designed to steal client data. So the scammers are at it again, targeting the tax professional to steal data, which is horrible because as we all know, tax professionals are like the salt of the earth just trying to save the world through tax preparation. And they're being targeted here, possibly due in part to tax data becoming more valuable due to changes in the law, increasing things like refundable credits, meaning that if you file a fraudulent tax return, you may be getting more of a possible refund than you may have been getting in the past and therefore more targeting in order to try to get that information. So we got to up the security then in that environment. The security summit, there's a link to that here. Partners continues to see instances where tax professionals have been vulnerable to identity theft, phishing emails that pose as potential clients. So obviously as tax professionals trying to pick up more clients so they can continue with their virtuous job of saving the world through tax preparation, they're vulnerable to the scammers. Now note these phishing kind of things. You might think of them as like unsophisticated normally because normally we get them in our spam bots and we say, hey, this is clearly spam. You look at it and you're like, how could anybody respond to this kind of phishing email? Because those emails are usually targeted for sending out to a whole bunch of different people and they might be actually deliberately unimpressive or faulty or look like almost spam because the execution of whatever they need to do in order to complete the scam might be such that they're actually trying to weed out people that would pick that up. So in other words, if the completion of the scam is that you have to have someone send you money with a gift card as opposed to a credit card or any other kind of payment, then you probably want people that are actually going through with the scam that are more vulnerable to accept giving money through like a gift card or something like that. But if they were to target their scams in such a way that they're just trying to get information or access to client data or tax software information, then they can do more sophisticated targeted stuff, which they looks like they're doing towards tax professionals because if they get one hit there, then they could get a lot more of a payoff in terms of information they might be able to steal, you know, tax returns from. So in any case, the criminals then trick practitioners into opening email links or attachments that infect computer systems with the potential to steal client information. It's just horrifying. It's giving me nightmares. The summit also warns tax professionals using cloud based systems to store and prepare tax returns and information to make sure they use multi factor authentication and light of recent attacks. So some software is actually on your desktop, kind of like that it used to be for Microsoft Office, the word in Excel used to be on your desktop, the software and then and then something like a Google is a cloud based things like Google Sheets or Docs or what not the cloud based thing you would think would be more accessible for firms that are trying to decentralize their network of employees and so on. But you would think that if someone get access to the cloud, then they get access to all that information on the cloud, which you would think would be a little bit more difficult if you have the kind of software words on on your computer, but you know, there's pros and cons to that. So specifically, the summit partners urge people using cloud based platforms to use multi factor options like phone, text or tokens. So you should be turning on the multi factor authentication. So you have to log in when it gives you a phone call or something like that and so on. This can avoid potential vulnerabilities with authentication done just through email, which is easier for identity thieves to access. So they're saying the email because it's on the same machine, same computer, they might be able to access that as well. If it's on a different device, you would think that be more advantageous or difficult to hack. So avoiding these schemes is the second in five part series from the IRS state tax agency and the nation's tax community working together as the security summit that highlight critical steps tax professionals can take to protect client data. The focus of the security summit series part of the protect your clients, protect yourself campaign is to urge tax professionals to work to strengthen their systems and protect client data, quote, identity theft scammers continually tried to try new schemes to steal client personal and financial information from tax professionals. We continue to see a barrage of emails aimed at tax professionals trying to trick them into providing valuable access to identity thieves in quote, said IRS commissioner Chuck Redick quote, and we continue to urge people to use multi factor authentication. So this is where they're telling you, you know, this this is they're putting the sign up next to the pool. So they know it's wet in there, often, including those using cloud based services, constant vigilance is necessary, not just during tax season, but year round. We urge tax pros both large operations and smaller ones to consider these invaluable recommendations to help protect their clients and themselves in quote. So the water is very wet. Fishing emails and SMS texts, known as smishing, that's a catchy word, smishing attempt to trick the recipient into disclosing personal information such as password bank account numbers, credit card numbers, or social security numbers, tax pros are a common target. So how dare they such important people, the tax pros, such good hearted people saving the world. Anyway, scams may differ in themes, but they generally have two traits. They appear to come from a known or trusted source such as a colleague bank credit card company, cloud storage provider, tax software provider, or even the IRS and other government agencies. They create a false narrative often with an urgent tone. It's just the common thing of any kind of scamming situation, right? You got to have a trust kind of thing involved or something that's going to be a scary thing intimidation. And then they're going to say that there's a timing issue involved. You need to act now before you actually think it through and the panic subsides and you say, Hey, wait a sec, this guy's not someone I should be dealing with. So to trick the receiver into opening or link or attachment. So a specific kind of phishing email is called spear phishing. So here we go with the spear phishing rather than the scatter shot nature of a general phishing emails. Scammers take time to identify their victim and craft a more enticing phishing email known as a lure. So again, if you see normal emails, you're like, they're just doing a scatter shot. And that's one strategy. It doesn't mean they're stupid just because the email looks stupid because that's the strategy of the scatter shot. And so, but if they're trying to get a bunch of identity information from one person, they might then target that one person, which, which means they can have more sophisticated looking emails, which I guess is spear phishing and have a lure and possibly multiple emails before they infect a computer where they can, you know, get a lot more information at one time. Scammers often use spear phishing to target tax professionals and a recurring and very successful scam criminals pose as potential clients exchanging several emails with tax professionals before following up with an attachment that they claimed was their tax information. So this scam gained energy as many tax professionals worked remotely and communicated with clients over email versus in person or over the telephone because of the pandemic. So clearly this is can be a persuasive strategy. So once the tax pro clicks on the embedded URL and or opens the attached mail will a secretly downloaded into their computer, giving thieves access to passwords like client accounts and remote access to the computers themselves. No, this is going to give me nightmares, but I'm going to watch it anyway. I'm going to tell you anyways, even though this is this is really disturbing me. These then use this malware known as remote access Trojan rat. It's appropriate to take over the tax professionals office computer system identity, identify pending tax returns, complete them and e file them changing only the bank information to steal the refund. No, in the past criminals have have used ransomware attacks to shut down a variety of computers. Here's the old thing. They just shut down your computer and then try to try to blackmail you. It's just horrible. Professionals can use similar smaller scale tactics agents tax pros. When unsuspecting tax professionals opens a link or attachment malware attacks to tax pros computer system to encrypt files and the thieves hold the data for ransom. Another emerging scheme the IRS has seen involves weak security from tax professionals using cloud based systems to store client data. While many cloud based systems are secure tax professionals using these should ensure they're using strong multi factor authentication. So once again, your information's on the cloud. You got the software on the cloud. You got the tax data on the cloud might be easier to access that if they can get in there if there's weak, you know, codes to get into the to access it. So the IRS has observed multiple instances frequently involving smaller tax professionals or businesses where individual accounts on cloud based platforms have been compromised identity thieves access these and then use existing data from tax returns to file new tax returns seeking refunds frequently by mail. These cloud based accounts are more vulnerable when tax pros do not use strong multi factor authentication to validate who was using the platform. Summit partners urge using authentication methods besides email, which can be easier for thieves to access and allow entry into tax professional account using text phone calls or tokens are safer options. So these scams highlight the importance of basic security steps recommended by the security summit to protect data. So here they go. Here's the sign next to the pool using two factor. That's the two F a or the multi factor authentication. That's M F a option offered by tax preparation providers to storage providers would protect client accounts even if passwords were inadvertently disclosed, keeping antivirus software automatically updated also helps prevent scams that target software vulnerabilities using drive encryption and regularly backing up files helps stop theft of ransomware attacks for tax professionals securing their data to protect taxpayer data is their responsibility as a tax preparer. So to help tax professionals guard against phishing scams and better protect taxpayer information IRS publication for five five seven safeguarding taxpayer data. There's a link to that here. This IRS publication contains some of the latest suggestions such as using the multi factor authentication option offered by tax software products and helping clients get an identity protection P.I.N. There's something new. It seems like we got that multi factor authentication like 100 times here and then they got but now you got the P.I.N. That's another option that they've been put in place here. Additional resources in addition to reviewing IRS publication for five five seven safeguarding taxpayer data. There's a link to that here. Tax professionals can also get help with security recommendations by reviewing small business information security. The fundamentals. There's a link to that here by the National Institute of Standards and Technology. The IRS identity theft central page. There's a link to that here for tax pros individuals and businesses have important details as well. Publication five two nine three data security resource guide to tax professionals. There's a link to that here. It provides a compilation of data theft information available on IRS.gov. Also tax professionals should stay connected with the IRS through subscriptions to e-news for tax professionals and social media. For more information go to IRS.gov IRS.gov IRS.gov v v for victory over the stupid scammers targeting the salt to the earth tax professionals is just disgusting any case there's links to all this stuff here. There'll be a link to this in the description.