As this year’s tax season revs up, scammers have rolled out a new data theft scheme focused on tax professionals.

The IRS announced last week that the agency had identified a new swindle that begins with cybercriminals downloading malicious software onto practitioners’ computers that enables them to steal client data and file fraudulent tax returns seeking a refund.

In a few cases, the thieves used the taxpayers’ real bank accounts for the deposit. Then, a woman who identified herself as an official of a debt collection agency contacted victims to say a refund had been erroneously deposited into their accounts, and asked them to forward the money to her.

The IRS noted that because of inroads by the agency and its Security Summit partners — including state tax agencies and the tax industry — against identity theft, cybercriminals have refocused their efforts on tax professionals from whom they can steal client data.

“Thieves know it is more difficult to identify and halt fraudulent tax returns when they are using real client data such as income, dependents, credits and deductions,” according to the IRS statement.

“Generally, criminals find alternative ways to get the fraudulent refunds delivered to themselves rather than the real taxpayers.”

In December, the IRS boasted a robust conviction rate for tax-related crimes by its criminal investigation division.

Phishing Season

Last week’s announcement said IRS CI agents were still looking into the latest data theft scam, but noted that most data thefts occur because a tax preparer or someone in the office opened a phishing email and clicked on a link or attachment that contained malware.

One form of malware secretly downloads into computers and either allows thieves to see each keystroke or gives them remote access to computers, in both instances enabling them to steal data stored on the computers.

The IRS urged tax professionals to review the Security Summit’s Don’t Take the Bait campaign, which outlined various scams criminals used to trick practitioners.

It said they should seek expert advice to help them better secure their data, and reminded them of some steps they can take:

  • Educate employees about phishing in general and spear phishing in particular
  • Use strong, unique passwords or, better, use a phrase instead of a word
  • Never take an email from a familiar source at face value. Visit the e-Services website for confirmation
  • If an email contains a link, hover the cursor over the link to see the URL destination. If the URL is unfamiliar or abbreviated, don’t open it
  • Consider a verbal confirmation by phone upon receipt of an email from a new client sending tax information or one requesting last-minute changes to the refund destination
  • Use and automatically update security software
  • Use the security options that come with tax preparation software
  • Send suspicious tax-related phishing emails to phishing@irs.gov

The IRS said the newest scam served as a reminder to taxpayers that they should be alert to any unusual activity such as receiving a tax transcript or tax refund they did not request. Here are seven tips how taxpayers can bolster their online safety and protect tax returns and refunds in 2018.