Dirty Dozen: IRS warns tax pros, businesses to be cautious of ongoing spearphishing attacks to gain sensitive information; warns of surge in "new client" scams

IR-2024-100, April 9, 2024

WASHINGTON — As part of the Dirty Dozen tax scams effort, the Internal Revenue Service today urged tax professionals and other businesses to remain vigilant and protect themselves against a continuing barrage of email spearfishing attempts designed to steal valuable information.

Tax professionals and businesses present a tempting target for identity thieves given their extensive information, and scammers continue to look for creative ways to gain access into sensitive systems. In particular, the IRS and the Security Summit partners urge tax pros and businesses to watch out for a surge in a particular type of spearfishing known as “new client” scams, where identity thieves pose as potential clients using fake emails.

Through spearphishing emails, cybercriminals impersonate real taxpayers seeking help with their taxes, using fake emails to get sensitive data or gain access to a tax professional’s client information from their computer systems. While these can peak around tax season, they remain a year-round threat. Criminals accessing tax preparer credentials, or their client's tax-related information, can affect multiple victims.

“It’s crucial for tax professionals and businesses to be wary of creative and evolving cyberattacks designed to access sensitive systems,” said IRS Commissioner Danny Werfel. “Cyberattacks pose a threat to not just the livelihood of the businesses, but the sensitive tax and personnel information that identity thieves can use to try filing fake tax returns. The Security Summit partners continue to urge tax pros and businesses to be on guard and educate their employees. Taking simple steps by using extra caution when opening emails, clicking on links or sharing private client information can prevent tax professionals from being taken advantage of by cybercriminals.”

This marks the ninth day of special Dirty Dozen series. Started in 2002, the IRS' annual Dirty Dozen campaign lists 12 scams and schemes that put taxpayers and the tax professional community at risk of losing money, personal information, data and more. While the Dirty Dozen is not a legal document or a formal listing of agency enforcement priorities, the education effort is designed to raise awareness and protect taxpayers and tax pros from common tax scams and schemes, like spearphishing.

Raising awareness about common scams threatening taxpayers and tax pros has been an ongoing focus of the Security Summit, a coalition of the IRS, state tax agencies and the nation's tax industry. The groups have worked together since 2015 to strengthen internal systems and controls to protect against tax-related identity theft, and the Summit partners continue to warn people about common scams and schemes during tax season and beyond.

These scams can threaten a taxpayer's personal and financial information. The Security Summit initiative is committed to protecting taxpayers, businesses and the tax system from scammers and identity thieves, and the annual IRS Dirty Dozen series is incorporated into this larger effort.

What is spearphishing?

While phishing refers to emails or text messages designed to steal personal information directly, or by clicking on an embedded link or attachment, spearfishing is more targeted. Spearphishing is a type of phishing that targets specific individuals, organizations or businesses, typically using malicious emails.

The IRS warns tax professionals about spearphishing because if a tax preparer falls victim to a data breach, the potential for harm is much greater. A successful spearphishing attack can lead to the theft of client data and the identity theft of the tax preparer. This could potentially enable the attacker to file fraudulent returns.

How to avoid being a victim of spearphishing:

  • Never click suspicious links or download attachments from unknown senders, including potential clients.
  • Call the potential client to confirm the email is from them.
  • Send only password-protected and encrypted documents through email.
  • Protect email accounts with strong passwords and two-factor authentication.
  • Use security software products with anti-phishing tools.
  • Be vigilant year-round, not just during tax filing season.

New client scam

The "new client" scam, which involves spearphishing attempts, continues to be a concern for the IRS and its Security Summit partners. Cybercriminals impersonate new, potential clients to trick tax preparers into responding to their emails. Once the preparer responds, the scammer sends a malicious attachment or URL that can compromise the preparer's computer systems and allow the attacker to access sensitive client information.

There are warning signs that should raise red flags and cause people to question an email's legitimacy. Individuals, including tax pros, should always be cautious and look out for any suspicious requests or unusual behavior before sharing any sensitive information or responding to an email. Warning signs include poorly constructed sentences and unusual word choices. Be aware that by gaining access to a hacked email account, scammers can locate a genuine email from a previous victim's email account sent to their tax professional. This email may contain no spelling or grammatical errors and may refer to genuine tax issues.

Report spearphishing and other scams

Individuals should report scams by sending the suspicious email or a copy of the text/SMS as an attachment to phishing@irs.gov. The report should include the sender’s email address, caller’s phone number, date, time and the phone number or email address that received the message.

The Report Phishing and Online Scams page at IRS.gov provides more information on what to look out for and how to report phishing and scams.

Taxpayers can also report scams to the Treasury Inspector General for Tax Administration or the Internet Crime Complaint Center. Another useful tool is the Federal Communications Commission's Smartphone Security Checker.

Report abusive tax schemes and tax return preparers

In support of the Dirty Dozen awareness effort, the IRS encourages people also to report individuals who promote improper and abusive tax schemes as well as tax return preparers who deliberately prepare improper returns.

To report an abusive tax scheme or a tax return preparer, people should use the online Form 14242 – Report Suspected Abusive Tax Promotions or Preparers, or mail or fax a completed Form 14242 PDF and any supporting material to the IRS Lead Development Center in the Office of Promoter Investigations.

Mail:

Internal Revenue Service Lead Development Center
Stop MS5040
24000 Avila Road
Laguna Niguel, CA 92677-3405
Fax: 877-477-9135

Taxpayers and tax practitioners may also send the information to the IRS Whistleblower Office for a possible monetary award.