The IRS and the Security Summit continue to issue “Tips for Tax Professionals” (that contain good information for all of us). Today we look at Part 4 of the six-part series, “Working Virtually: Avoid Phishing Scams.”
Idaho Theological Seminary (ITS) is a private college exempt under Internal Revenue Code section 501(c)(3) and 170(b)(1)(A)(ii). They are not required to file Form 990 annually.
The Accounting Team at ITS asked us about “phishing” scams and how cyber criminals might attack their systems to steal data.
“Well, the ‘front door’ to steal, compromise, or hold hostage your data is many times an email that – if opened – provides access to everything your institution has electronically.”
“How can we identify these emails?”
“Great question. Phishing emails generally have an urgent message, such as your account password expired. They direct you to an official-looking link or attachment. The link may take you to a fake site made to appear like a trusted source and request your username and password. Or, the attachment may contain malware, which secretly downloads malware that tracks keystrokes and allows thieves to eventually steal all the tax pro’s passwords. Researching this issue and providing training to your staff, students, and stakeholders is paramount.”
“Where can we find more information?”
“The IRS and the Security Summit have produced a “Don’t Take the Bait series” that is designed for tax professionals (but contains good information for all of us). More info can be found at:
From IRS New Release (IR-2020-178) – August 11, 2020:
“The coronavirus has created new opportunities for cybercriminals to use email to try stealing sensitive information,” said IRS Commissioner Chuck Rettig. “The vast majority of data thefts start with a phishing email trick. Identity thieves pose as trusted sources – a client, your software provider or even the IRS – to lure you into clicking on a link or attachment. Remember, don’t take the bait. Learn to recognize and avoid phishing scams.” [underline added]
Phishing emails generally have an urgent message, such as your account password expired. They direct you to an official-looking link or attachment. The link may take you to a fake site made to appear like a trusted source and request your username and password. Or, the attachment may contain malware, which secretly downloads malware that tracks keystrokes and allows thieves to eventually steal all the tax pro’s passwords.
This year, IRS identified a highly sophisticated attack against tax firms where thieves gained remote access either through phishing or malware and were able to enter the cloud storage accounts that held client files. In one case, thieves spent 18 months quietly downloading and accessing taxpayer information before they were discovered.
[Institutions] should beware of emails from criminals posing as potential clients. As people practice social distancing these days, criminals may exploit this process to try to trick [your staff, students, stakeholders] into opening links or attachments. The Security Summit continues to urge [institutions] to create “trusted customer” policies, and contact potential clients by phone or video conference.
- Again, has your institution appointed a “Cybersecurity Point Person?”
- The Department of Education is requiring certain cybersecurity requirements, assessments, and protocols that you should be familiar with.
- Has your school instituted training for staff, students, and stakeholders on how to recognize sketchy/shady/iffy emails and what to do (heaven forbid) if they open one?
- “Phishing” scams are one of the biggest cybersecurity issues out there – Don’t Take the Bait!
Specific questions? Email Dave Moja
The information provided herein presents general information and should not be relied on as accounting, tax, or legal advice when analyzing and resolving a specific tax issue. If you have specific questions regarding a particular fact situation, please consult with competent accounting, tax, and/or legal counsel about the facts and laws that apply.
© 2020 Moja & Company, LLC