Accountants Community Home

ProConnect Tax Online (PTO) Notifications - Up to Date Information Regarding Tax Scams and Alerts

This announcement page will be updated when we receive new information regarding possible tax scams which could potentially affect you, our customers and your clients. 

This announcement can be 'followed' in order to receive an email notification each time a new item is posted. 

Please click the following link for instructions to set up your email notifications: https://accountants-community.intuit.com/articles/1635808&src=ptocom

Please scroll down to view the most recent posts.





5 updates

Update 11/19/2018 

WASHINGTON — The Internal Revenue Service and Security Summit partners today warned the public of a surge of fraudulent emails impersonating the IRS and using tax transcripts as bait to entice users to open documents containing malware.

The scam is especially problematic for businesses whose employees might open the malware because this malware can spread throughout the network and potentially take months to successfully remove.

For more details, please see IR-2018-226 IRS News Alert link below.

IRS warns of "Tax Transcript" email scam; dangers to business networks: https://www.irs.gov/newsroom/irs-warns-of-tax-transcript-email-scam-dangers-to-business-networks


Update 11/19/2018

The Internal Revenue Service and its Security Summit partners recently kicked off a security awareness campaign for tax professionals. The Security Summit is an unprecedented partnership between the IRS, state tax agencies, and the private-sector tax industry.

To combat this threat, go to www.IRS.gov/ProtectYourClients to download the complete Data Security Resource Guide for Tax Professionals. See what steps you can take to better protect your clients and your business. 

Learn more by going to https://accountants-community.intuit.com/articles/1780836-irs-data-security-tips-protect-your-client...









Update 12/4/18 

IRS sees surge in email phishing scams; Summit Partners urge taxpayers: ‘Don’t Take the Bait’

WASHINGTON ― With the approach of the holidays and the 2019 filing season, the Internal Revenue Service, state tax agencies and the nation’s tax industry warned people to be on the lookout following a surge of new, sophisticated email phishing scams.

Taxpayers saw many more phishing scams in 2018 as the IRS recorded a 60 percent increase in bogus email schemes that seek to steal money or tax data. These schemes can endanger a taxpayer’s financial and tax data, allowing identity thieves a chance to try stealing a tax refund.
 
The Internal Revenue Service, state tax agencies and the tax community, partners in the Security Summit, are marking “National Tax Security Awareness Week” Dec. 3 -7, with a series of reminders to taxpayers and tax professionals. In part two, the topic is email phishing scams.

“The holidays and tax season present great opportunities for scam artists to try stealing valuable information through fake emails,” said IRS Commissioner Chuck Rettig. “Watch your inbox for these sophisticated schemes that try to fool you into thinking they’re from the IRS or our partners in the tax community. Taking a few simple steps can protect yourself during the holiday season and at tax time.”

In the second part of this week’s National Tax Security Awareness Week series, the IRS and Summit partners warned against a new influx of phishing scams.

Tax-related phishing scams reported to the IRS declined for the prior three years until a surge in 2018. More than 2,000 tax-related scam incidents were reported to the IRS from January through October, compared to approximately 1,200 incidents in all of 2017.

One recent malware campaign used a variety of subjects like “IRS Important Notice,” “IRS Taxpayer Notice” and other variations. The phishing emails, which use varying language, demands a payment or threatens to seize the recipient’s tax refund.

Taxpayers can help spot these schemes by examples of misspelling and bad grammar. Taxpayers can forward these email schemes to phishing@irs.gov.

The most common way for cybercriminals to steal money, bank account information, passwords, credit cards or Social Security numbers is to simply ask for them. Every day, people fall victim to phishing scams or phone scams that cost them their time and their cash.

Phishing attacks use email or malicious websites to solicit personal, tax or financial information by posing as a trustworthy organization. Often, recipients are fooled into believing the phishing communication is from someone they trust. A scam artist may take advantage of knowledge gained from online research and earlier attempts to masquerade as a legitimate source, including presenting the look and feel of authentic communications, such as using an official logo. These targeted messages can trick even the most cautious person into taking action that may compromise sensitive data.
 
The scams may contain emails with hyperlinks that take users to a fake site. Other versions contain PDF attachments that may download malware or viruses.

Some phishing emails will appear to come from a business colleague, friend or relative. These emails might be an email account compromise. Remember, criminals may have compromised your friend’s email account and begin using their email contacts to send phishing emails.

Not all phishing attempts are emails – some are phone scams. One of the most common phone scams is the caller pretending to be from the IRS and threatening the taxpayer with a lawsuit or with arrest if payment is not made immediately, usually through a debit card.

In addition, phishing@irs.gov continues to receive a large volume of IRS telephone scam complaints. These phone scams increased again in 2018 with reports to phishing@irs.gov recording thousands of telephone numbers from email complaints each week.

Phishing attacks, especially online phishing scams, are popular with criminals because there is no fool-proof technology to defend against them. Users are the main defense. When users see a phishing scam, they should ensure they don’t take the bait.

Here are a few steps to take to protect against phishing and other tax-related schemes:

  • Be vigilant; be skeptical. Never open a link or attachment from an unknown or suspicious source. Even if the email is from a known source, approach with caution. Cybercrooks are adept at mimicking trusted businesses, friends and family -- including the IRS and others in the tax business. Thieves may have compromised a friend’s email address, or they may be spoofing the address with a slight change in text, such as name@example.com vs narne@example.com. In the latter, merely changing the “m” to an “r” and “n” can trick people.
  • Remember, the IRS doesn't initiate spontaneous contact with taxpayers by email to request personal or financial information. This includes asking for information via text messages and social media channels. The IRS does not call taxpayers with aggressive threats of lawsuits or arrests.
  • Phishing schemes thrive on people opening the message and clicking on hyperlinks. When in doubt, don’t use hyperlinks and go directly to the source’s main web page. Remember, no legitimate business or organization will ask for sensitive financial information via email.
  • Use security software to protect against malware and viruses found in phishing emails. Some security software can help identify suspicious websites that are used by cybercriminals.
  • Use strong passwords to protect online accounts. Each account should have a unique password. Use a password manager if necessary. Criminals count on people using the same password repeatedly, giving crooks access to multiple accounts if they steal a password - creating opportunities to build phishing schemes. Experts recommend the use of a passphrase, instead of a password, use a minimum of 10 digits, including letters, numbers and special characters. Longer is better.
  • Use multi-factor authentication when offered. Some online financial institutions, email providers and social media sites offer multi-factor protection for customers. Two-factor authentication means that in addition to entering your username and password, you must enter a security code generally sent as a text to your mobile phone. Even if a thief manages to steal usernames and passwords, it’s unlikely the crook would also have a victim’s phone.

The IRS, state tax agencies and the tax industry are working together to fight against tax-related identity theft and to protect taxpayers. Everyone can help. Visit the “Taxes. Security. Together.” awareness campaign or review IRS Publication 4524, Security Awareness for Taxpayers, to learn more. Tax professionals can also get more information through the Protect Your Clients; Protect Yourself campaign as well as the Tax Security 101 series.

Security Summit Partners highlight new password guidance, urge taxpayers and practitioners to protect all accounts

WASHINGTON – To help protect against cybercriminals stealing identities, the IRS, state tax agencies and the nation’s tax industry urged people to review new, stronger standards to protect the passwords of their online accounts.

Every individual or tax practitioner who maintains any type of online accounts should use strong passwords to protect against savvy cybercriminals taking over their identities and accessing sensitive tax and financial data.

But there’s been some new thinking as to what a strong password is. The latest guidance suggests using a passphrase such as a favorite line from a movie or a series of associated words rather than using a password. The idea is to create a passphrase that can be remembered easily and protect the account. This means passwords like – “uE*s3P%8V)” – are out. Longer, personal phrases people can remember – for example, SunWalkRainDrive – are now preferred.

The Internal Revenue Service, state tax agencies and the tax community, partners in the Security Summit, are marking “National Tax Security Awareness Week,” Dec. 3-7, with a series of reminders to taxpayers and tax professionals. In part three, the topic is creating a strong password.

This is especially important for taxpayers and tax professionals who use online accounts involving financial data or even their online account with the IRS or a tax software provider.

“The IRS and the Security Summit partners have strengthened our systems to help protect against tax-related identity theft,” said IRS Commissioner Chuck Rettig. “To make these defenses even stronger, we need taxpayers and tax professionals to take common-sense steps to protect their data and make it harder for identity thieves. By using better passwords, people can help themselves and the tax community against identity theft.”

The IRS, like all federal agencies, follows the cybersecurity framework set by the National Institute of Standards and Technology or NIST, which is a branch of the Department of Commerce. NIST last year rethought its guidance on passwords.

NIST suggested these three steps to build a better password:

  • Step 1 –  Leverage your powers of association. Identify associated items that have meaning to you.
  • Step 2 – Make the associations unique to you. Passphrases should be words that can go together in your head, but no one else would ever suspect. Good example: Items in your living room such as BlueCouchFlowerBamboo. Bad example: Names of your children.
  • Step 3 – Picture this. Create a passphrase that you can picture in your head. In our example, picture items in your living room. The key is to create a passphrase that is hard for a cybercriminal to guess but easy for you to remember.

In addition to creating strong passwords, the Security Summit urges taxpayers and tax practitioners to take these additional steps:

  • Use a different password or passphrase for each account; use a password manager if necessary for multiple accounts.
  • Use multi-factor authentication whenever possible. Don’t rely on the passphrase alone to protect sensitive data. Multi-factor authentication means returning account holders need more than just their credentials (username and password) to access an account. They also need, for example, a security code sent as text to a mobile phone. Email providers and social media outlets, such as Facebook, offer multi-factor authentication options. For tax professionals, some tax software providers will offer multi-factor authentication as an option, and practitioners should use it if it’s available.
  • Change all factory-set passwords for wireless devices such as printers and routers. Again, use strong passphrases to protect access to these devices, which further safeguards sensitive data.

The IRS, state tax agencies and the tax industry are committed to working together to fight against tax-related identity theft and to protect taxpayers. But the Security Summit needs help. People can take steps to protect themselves online.

Taxpayers can visit the “Taxes. Security. Together.” awareness campaign or review  IRS Publication 4524, Security Awareness for Taxpayers, for additional steps to protect themselves and their data from identity theft. Tax professionals can get more information through the Protect Your Clients; Protect Yourself campaign as well as the Tax Security 101 series.


12/6/2018 

Security Summit warns employers: Be alert to identity theft and W-2 scams


WASHINGTON – As the 2019 tax season approaches, the IRS, state tax agencies and the nation’s tax industry joined together to warn small businesses to be on-guard against a growing wave of identity theft and W-2 scams.

Small business identity theft is big business for identity thieves. Just like individuals, businesses may have their identities stolen and their sensitive information used to open credit card accounts or used to file fraudulent tax returns for bogus refunds. Employers also hold sensitive tax data on employees, such as Form W-2 data, which also is highly valued by identity thieves.

“Identity theft can be devastating to small businesses, and the IRS continues to see instances where cybercriminals are targeting these groups to obtain sensitive employee information that can be used to file fake tax returns,” said IRS Commissioner Chuck Rettig. “And as tax season approaches, the IRS and the Security Summit partners continue to warn employers to be on the lookout for emails asking for sensitive W-2 information, a dangerous scheme aimed at payroll and human resource offices. We encourage small businesses and others to follow some important steps to help protect themselves and their employees.”

The Internal Revenue Service, state tax agencies and the tax community, partners in the Security Summit, are marking “National Tax Security Awareness Week,” Dec. 3-7, with a series of reminders to taxpayers and tax professionals. In part four, the topic is business-related identity theft and scams.

Identity thieves have long made use of stolen Employer Identification Numbers (EINs) to create fake Forms W-2 that they would file with fraudulent individual tax returns. Fraudsters also used EINs to open new lines of credit or obtain credit cards. Now, they are using company names and EINs to file fraudulent returns.

The IRS has identified an increase in the number of fraudulent Forms 1120, 1120S and 1041 as well as Schedules K-1. The fraudulent filings apply to partnerships as well as estate and trust forms.

Businesses, partnerships and estate and trust filers should be alert to potential identity theft and contact the IRS if they experience any of these issues:

  • Extension to file requests are rejected because a return with the Employer Identification Number or Social Security number is already on file;
  • An e-filed return is rejected because a duplicate EIN/SSN is already on file with the IRS;
  • An unexpected receipt of a tax transcript or IRS notice that doesn’t correspond to anything submitted by the filer.
  • Failure to receive expected and routine correspondence from the IRS because the thief has changed the address.

Complete trusted customer questions

The IRS, state tax agencies and software providers also share certain data points from returns, including business returns, that help identify a suspicious filing. The IRS and states also are asking that business and tax practitioners provide additional information that will help verify the legitimacy of the tax return.

These “know your customer” procedures are being put in place and include the following questions:

  • The name and SSN of the company executive authorized to sign the corporate tax return. Is this person authorized to sign the return?
  • Payment history – Were estimated tax payments made? If yes, when were they made, how were they made and how much was paid?
  • Parent company information – Is there a parent company? If yes, who?
  • Additional information based on deductions claimed.
  • Filing history – Has the business filed Form(s) 940, 941 or other business-related tax forms?

Sole proprietorships that file Schedule C and partnerships filing Schedule K-1 with Form 1040 also will be asked to provide additional information items, such as a driver’s license number. Providing this information will help the IRS and states identify suspicious business-related returns.

For small businesses looking for a place to start on security, the Federal Trade Commission maintains a Protecting Small Business page which includes a series on cybersecurity and a Cybersecurity for Small Business publication. This is a cooperative effort between the FTC, the National Institute of Standards and Technology, the Department of Homeland Security and the Small Business Administration.

Guard against W-2 scam

All employers – in both the public and private sectors – also are targets for the W-2 scam that has in recent years become one of the more dangerous email scams for tax administration. These emails appear to be from an executive or organization leader to a payroll or human resources employee. It may start with a simple, “Hey, you in today?” and, by the end of the exchange, all of an organization’s Forms W-2 for their employees may be in the hands of cybercriminals. This puts workers at risk for tax-related identity theft.

Because payroll officials believe they are corresponding with an executive, it may take weeks for someone to realize a data theft has occurred. Generally, the criminals are trying to quickly take advantage of their theft, sometimes filing fraudulent tax returns within a day or two. This scam is such a threat to taxpayers that a special IRS reporting process has been established.

Here’s an abbreviated list of how to report these schemes:

  • Email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.
  • Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
  • Businesses/payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center (IC3.gov). Businesses/payroll service providers may be asked to file a report with their local law enforcement agency.
  • Notify employees so they may take steps to protect themselves from identity theft. The Federal Trade Commission’s www.identitytheft.gov provides guidance on general steps employees should take.
  • Forward the scam email to phishing@irs.gov.

Employers are urged to put steps and protocols in place for the sharing of sensitive employee information such as Forms W-2. One example would be to have two people review any distribution of sensitive W-2 data or wire transfers. Another example would be to require a verbal confirmation before emailing W-2 data. Employers also are urged to educate their payroll or human resources departments about these scams.

The IRS, state tax agencies and the tax industry are committed to working together to fight against tax-related identity theft and to protect taxpayers. But the Security Summit needs help. People can take steps to protect themselves online.

Taxpayers can visit the “Taxes. Security. Together.” awareness campaign or review  IRS Publication 4524, Security Awareness for Taxpayers, for additional steps to protect themselves and their data from identity theft. Tax professionals can get more information through the Protect Your Clients; Protect Yourself campaign as well as the Tax Security 101 series.