IR-2024-05, Jan. 9, 2024 WASHINGTON — The Internal Revenue Service and the Security Summit partners today alerted tax professionals to watch out for a new round of filing season-related email schemes where cybercriminals pose as potential clients. Previously, the IRS observed a surge in these seasonal "new client" scams where identity thieves target accounting groups and tax preparation firms with fake emails. This year, the IRS has already observed reports of new client scams. Typically, the new client scam peaks during tax season, which runs from January through April. With the 2024 tax season quickly approaching, fraudsters are impersonating real taxpayers seeking help with their taxes, using emails to try obtaining sensitive information or gain access to tax professionals' client data. "These intricate email scams pose a real risk to tax professionals and the taxpayers they represent," said IRS Commissioner Danny Werfel. "Cybercriminals try to capitalize on tax season by masquerading as real taxpayers looking for help. What they really want to do is help themselves to the sensitive client data of tax professionals. We urge tax professionals and their employees to be extra cautious when receiving unexpected email solicitations and avoid clicking on links or opening attachments." The Security Summit partners – a group composed of the IRS, state tax agencies and the nation's tax industry – work together to protect taxpayers and tax professionals against tax-related identity theft. The Summit partners warn that the new client email scam's objective is to steal sensitive personal information that will allow fraudsters to prepare authentic looking tax returns to collect a refund – or use it to commit other types of fraud. Last year, the IRS received hundreds of reports at phishing@irs.gov of the new client scam. The new client scam made up roughly two-thirds of the 400 reports of business email compromise (BEC) or business email spoofing (BES) complaints that came in to phishing@irs.gov. Given the mass production of these messages by cybercriminals, the number of actual spearphishing emails sent to tax professionals associated with these campaigns likely runs into the thousands with the goal to reach tens of thousands of preparers operating across the country. Tax pros: What to watch out for in the new client emails New client scams can try a direct approach by sending an email asking the tax pro to help them with their taxes where the phishing email contains a malicious link or attachment. Or the scammer might take a more cautious approach by sending an initial email asking if the tax pro is seeking new clients. When the tax pro responds to the initial email, the scammer sends a second email that will then contain a malicious link or attachment. During this process, the tax professional may think they are downloading a potential client's tax information or accessing a site with the potential client's tax information. Cybercriminals could collect the preparer's email address, password and possibly other information – or load malware onto the tax pro's computer to gain system access. In one of the current examples being seen by the IRS, the new client scam features several red flags that should raise questions about the legitimacy of the email. This includes awkwardly phrased sentences and odd word usage. However, with access to a stolen email account, scammers can find a legitimate email from a previous victim's email account between the victim and their tax preparer. This email might have no grammatical or spelling mistakes or reference what appear to be legitimate tax issues, which is then re-purposed as part of the new client phishing scam. The subject line will often reference the current tax season and the underlying message will amount to the sender needing someone to "help prepare their taxes." Here's an example of a current new client scam being seen: Subject: 2024 Tax Submission Hello, My name is (name can vary), I am searching for another CPA to help handle my taxes. Is it safe to say that you are accepting new clients for the 2024 tax season? Do you additionally assist with IRS representation? I figured I may have an issue with last year's return. (Click) HERE TO VIEW MY CREDENTIAL [Link to a phishing web address] Upon your approval, we can arrange a physical or virtual meeting to discuss my situation and also provide my tax documents amongst others. Kindly prompt how you plan to push ahead. Best Regards, (Name varies) In some cases, new client phishing emails may appear to come from a legitimate sender or organization (perhaps even a friend or colleague) because their friend or colleague had their email account credentials stolen. Setting up two-factor or multi-factor authentication with your email provider can reduce the risk of having your email account compromised. Posing as a trusted organization or friend remains a common way to target individuals and tax preparers for a variety of scams. Individuals should verify the identity of the sender by using another communication method; for instance, calling a number they independently know to be accurate, not the number provided in the email or text. Related schemes also threaten tax pros, taxpayers Phishing emails sent from compromised email accounts and phishing emails that spoof legitimate organizations threaten tax professionals daily. While tax professionals – as well as taxpayers – should be wary of phishing emails where cyberthieves send emails from stolen email addresses from a business or an individual, there are many other forms of phishing emails during tax season. Cybercriminals will impersonate the IRS, state tax agencies, tax software companies or financial institutions. Phishing scams impersonate other agencies offering government benefits or brands offering various services, such as things like document verification or shipping. Taxpayers should remain vigilant to phishing scams year-round. Where to report phishing emails and other scams Report all unsolicited email - including the full email headers - claiming to be from the IRS or an IRS-related function to phishing@irs.gov. For those experiencing any monetary losses due to an IRS-related scam incident, please report it to the Treasury Inspector General for Tax Administration (TIGTA), Federal Trade Commission and the Internet Crime Complaint Center. People can also forward the email to your Internet Service Provider's abuse department. Data breaches: What to do if a tax pro is victimized Speed is critical if a tax professional becomes a data breach victim. A key component to responding to a data breach – like those that can occur if a tax professional is a victim of the new client scam – is to have an effective action plan and knowing who to contact. Tax professionals have a variety of resources to get help from the IRS and law enforcement in case of a data breach: IRS Stakeholder Liaison – For tax professionals who are victims, the IRS recommends quickly reporting data theft to the local Stakeholder Liaison representative immediately. Liaisons will notify IRS Criminal Investigation and others within the agency on the tax professional's behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients' names and take other steps to protect the tax professional their clients. Federal Bureau of Investigation – The local office. Secret Service – The local office (if directed). Local police – To file a police report on the data breach. Contacting states in which tax professionals prepare state returns: Federation of Tax Administrators – Tax professionals can reach this special "report a data breach" web page for victim reporting guidance to the states. State Attorneys General – Most states require that the state attorney general be notified of data breaches. For tax professionals, being prepared for a data breach reflects the importance of having a written security plan. Under Federal Trade Commission rules, tax professionals are required to have a written security plan. As part of the Security Summit effort, the group's Tax Professional team developed a special document that allows practitioners to quickly develop a Written Information Security Plan (WISP) PDF.