IRS: New scam email could target Payroll

Give your Payroll team the heads up: There’s a new spear phishing scam email making the rounds that’s attempting to steal their account credentials by trying to convince them to access a fake version of IRS e-Services.

When cybercrooks steal the identity of someone they think is a tax preparer or has access to sensitive employee taxpayer data, they then try to file fraudulent tax returns to get a refund.

The scam email claims to be from IRS e-Services and appears to be legitimate because it includes the IRS logo. Similar, but still bogus, emails can state that they’re from your “tax preparation application provider.”

What the email scam looks like

Subject lines that should raise red flags include:

• “Action Required: Your account has now been put on hold”
• “Your account has been put on hold,” or
• “Unusual activity report.”

The email itself will say that you haven’t applied a critical software update, and that you must restore and update your account immediately within the next 24 hours or else your account will be terminated.

There will be a malicious “solution link” or attachment provided to supposedly restore your IRS account. However, clicking on them either compromises sensitive data or downloads malware onto your computer.

Scam emails that claim to be from your tax software company will have a link that sends the user to a website that shows the logos of several popular tax software providers. Clicking on a logo opens up a popup window that requests your account information. If the info gets entered, that’s how the credentials are stolen.

Stopping the impersonators

The IRS warns Finance pros to avoid following any instructions in emails like these. They should also avoid sending a reply to the email.

If someone on your team gets tricked into clicking on a suspicious link or attachment, your IT team should be alerted ASAP. If necessary, you should contact your tax software provider directly using a trusted phone number not found in an internet search (because a website can be forged by hackers).

Finally, IRS encourages saving scam emails in a file and sending it as an attachment to phishing@irs.gov. The Treasury Inspector General for Tax Administration should also be notified at www.tigta.gov to report the IRS impersonation scam.