Tax professionals across the country are being warned by the Internal Revenue Service, state tax agencies and the tax industry to be on the lookout for a new scam to steal their Electronic Filing Identification Numbers (EFINs).
Security Summit partners say this new scheme serves as another reminder that tax pros are still prime targets for identity thieves. These criminals try to steal client data and tax preparers’ identities that will allow them to file fraudulent tax returns for big refunds.
“Phishing scams are the most common tool used by identity thieves to trick tax professionals into disclosing sensitive information, and we often see increased activity during filing season,” said IRS Commissioner Chuck Rettig. “Tax professionals must remain vigilant. The scammers are very active and very creative.”
How does the EFIN phishing scam work?
The new scam email says it is from “IRS Tax E-Filing” and carries the subject line “Verifying your EFIN before e-filing.”
The IRS warns tax pros not to take any of the steps outlined in the email, especially responding to the email. The body of the bogus email states:
In order to help protect both you and your clients from unauthorized/fraudulent activities, the IRS requires that you verify all authorized e-file originators prior to transmitting returns through our system. That means we need your EFIN (e-file identification number) verification and Driver’s license before you e-file.
Please have a current PDF copy or image of your EFIN acceptance letter (5880C Letter dated within the last 12 months) or a copy of your IRS EFIN Application Summary, found at your e-Services account at IRS.gov, and Front and Back of Driver’s License emailed in order to complete the verification process. Email: (fake email address)
If your EFIN is not verified by our system, your ability to e-file will be disabled until you provide documentation showing your credentials are in good standing to e-file with the IRS.
© 2021 EFILE. All rights reserved. Trademarks
2800 E. Commerce Center Place, Tucson, AZ 85706
The IRS outline what recipients should do if they receive one of these phishing emails: “Tax professionals who received the scam should save the email as a file and then send it as an attachment to [email protected] They also should notify the Treasury Inspector General for Tax Administration at www.tigta.gov to report the IRS impersonation scam. Both TIGTA and the IRS Criminal Investigation division are aware of the scam.”
Both TIGTA and the IRS Criminal Investigation division are aware of this new scam.
Same tactic, new execution
Like all phishing email scams, this newest attempt tries to bait the receiver into taking action by opening a link or attachment while threatening disabling the account if they refuse. The links or attachment may themselves be set up to steal information or to download malware onto the tax professional’s computer.
In this case, tax preparers are being asked to email documents revealing their identities and EFINs to the data thieves. The cybercrooks can then use the information to file fraudulent returns by impersonating the tax pro.
The newest attack is the latest in a string of IRS impersonation phishing attempts. Other common scams have sought EFINs, Preparer Tax Identification Numbers (PTINs) or e-Services usernames and passwords. All pose a threat to tax professionals.
Some scammers pose as potential clients—an especially effective scam nowadays because there are so many remote transactions during the pandemic. The thief may interact repeatedly with a tax professional, then send an email with an attachment that claims to be their tax information.
The attachment, though, is a trap. It might contain malware that lets the thief track keystrokes and eventually steal all passwords. It might even take control of the office’s computer systems.
Some phishing schemes are ransomware attacks, where the thief gains control of the tax pro’s computer system and holds his data hostage until a ransom is paid. The FBI has warned against paying a ransom, however; thieves often leave the data encrypted after they get the money.