IRS issues urgent EFIN scam alert to tax professionals

The Internal Revenue Service, state tax agencies and tax industry warned tax professionals of a new scam email that impersonates the IRS and attempts to steal Electronic Filing Identification Numbers (EFINs).

The Security Summit partners said the latest scheme, arriving just before the start of the nation's tax season, should serve as another reminder that tax professionals remain prime targets for identity thieves. These thieves try to steal client data and tax preparers' identities that will allow them to file fraudulent tax returns for refunds.

"Phishing scams are the most common tool used by identity thieves to trick tax professionals into disclosing sensitive information, and we often see increased activity during filing season," said IRS Commissioner Chuck Rettig. "Tax professionals must remain vigilant. The scammers are very active and very creative."

The latest scam email says it is from "IRS Tax E-Filing" and carries the subject line "Verifying your EFIN before e-filing."

The IRS warns tax pros not to take any of the steps outlined in the email, especially responding to the email. The body of the bogus email states:

In order to help protect both you and your clients from unauthorized/fraudulent activities, the IRS requires that you verify all authorized e-file originators prior to transmitting returns through our system. That means we need your EFIN (e-file identification number) verification and Driver's license before you e-file.

Please have a current PDF copy or image of your EFIN acceptance letter (5880C Letter dated within the last 12 months) or a copy of your IRS EFIN Application Summary, found at your e-Services account at IRS.gov, and Front and Back of Driver's License emailed in order to complete the verification process. Email: (fake email address)

If your EFIN is not verified by our system, your ability to e-file will be disabled until you provide documentation showing your credentials are in good standing to e-file with the IRS.

2800 E. Commerce Center Place, Tucson, AZ 85706

Tom Pendergast, Chief Learning Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education, says, “What’s worse than a scammer going after an individual tax filer? One who goes after tax filing professionals, hoping to gain access to the bank accounts of many more Americans keyed up about paying taxes in a difficult financial climate. That’s why tax filers have to be doubly skeptical of any attempted contact related to tax IDs.

"The good thing is, the core advice for taxpayers and tax filers alike is: never respond directly to emails or phone calls requesting information or providing links—instead, use known access sites or contact methods to conduct business; establish a trusted relationship with government agencies that require a unique password and multi-factor authentication; report suspected phishing attempts to the appropriate agency.”

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, notes, “Tax season is something malicious actors use to their advantage every single year. We most often hear about phishing campaigns that target consumers, but now we’re seeing more attacks like this one focusing on tax professionals. By targeting tax firms, an attacker could gain access to highly sensitive tax data such as social security numbers and bank account information for that firm’s entire customer base. People access their work email on a smartphone or tablet just as much as they do on a computer. Attackers know this and are creating phishing campaigns like this to take advantage of the mobile interface that makes it hard to spot a malicious message. Unless you tap into the sender name, mobile email clients only display the sender name and not the reply-to address

Schless adds, "Social engineering attacks are more difficult to spot on mobile. They’re also easier to deliver, as there are countless ways to send messages on a mobile device. For example, SMS messages have less stringent spam filtering and social media platforms allow attackers to build convincing profiles to distribute malicious content. According to Lookout data, about 15% of financial services employees encountered a mobile phishing attempt each quarter in 2020. The best first-line defense against an attack like this is training. Be sure to constantly run security training and include mobile in those sessions. Simple steps like always checking the sender’s reply-to address or asking IT before replying to a message could save your organization from being the victim of the next big data breach. Any text, email, WhatsApp message, or any communication that creates a time-sensitive situation should be a red flag. Approach these messages with extreme caution or go straight to your IT and security teams to have them vet it first. Communication from the IRS and other tax agencies traditionally comes through the mail. Even then, you should be sure to validate any communication you receive.”

Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, says, “Identity theft is the biggest concern with filing taxes. This means that someone files taxes on your behalf and receives your tax refund. Your claim would be rejected leaving you to contend with proving your identity to the IRS and hoping to get your refund someone else already collected. Normally the recommendation is to not share personal information or sensitive data like social security numbers, however, because of major hacks we have seen in the past, this information may well already be on the dark web for sale to anyone who wants it. The second risk is phishing where someone were to call or email you and demand a payment with the hopes that you provided bank account or credit card information. The IRS would never call or email directly requesting a payment or would it ask for personal information online. It is best to always ignore all of these calls and reach out to the IRS directly if there are any questions.

"The final risk is malware attacks from email attachments that can compromise your local system to gain access to sensitive information. The IRS would never send an email with an attachment and all of these should be ignored. It is best to reach out to organizations, like the IRS, directly if there are any questions. A risk is malware attacks from links and attachments that can compromise your local system to gain access to sensitive information.”

Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions, explains, “The reason why consumers still fall for tax scams is quite simple: the emails are so authentic looking it is difficult for consumers to tell the difference from the real thing. These scams are so widespread because they work and it is easy money for cybercriminals. If you have a large target list, and many of the victims are unable to tell the difference between a scam and the authentic notices, then even if a small number of people fall for such a scam, it is still extremely profitable for the cybercriminals. Cybercriminals use a lack of good cyber hygiene, fear of breaking the law and financial penalties if unpaid, as scare tactics which continue to prove effective. There are many ways to stop these scams from being successful. The quickest is to develop better cyber security hygiene by educating consumers on ways to detect email scams. Another way to stop and prevent such scams is to use a good email spam filter that will help ensure such email scams do not make it to the email inbox. If an email does make it into the inbox, then go to the website and call the number to check if it is authentic and do not call the number if provided within the email as, most likely, it is fake also. Check the email sender address and not the display name. Check the email for spelling mistakes. Check any hyperlink addresses by hovering over them to see where they send you. However, do not click on the links. Also check your personal details for accuracy. These simple tips can help avoid a potential cybersecurity nightmare.”

Abhay Bhargav, CEO at we45, notes, “This is not uncommon, as a standard seasonal phishing attack. During special events or at certain specific moments in time, phishers leverage that event as an opportunity to financially cash in on the event. In this case, clearly the objective is to deploy malware on the tax preparer's machines and cause some data exfiltration over time. This is valuable data, from an attacker's perspective. By compromising Tax Filing professionals, there could be several possible outcomes including:

· Highly confidential detail of the tax preparer's clients and their personal and financial information

· Access to Banking Information and possibly credit card information of the clients”

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.