There’s a dangerous new scam the Internal Revenue Service (IRS) says can victimize tax professionals and their clients.
The agency says scammers are circulating a fake tax form in hopes of gaining access to annuity and life insurance clients. The scheme has a number of variations that can cause serious trouble.
In one iteration, cybercriminals impersonate a cloud-based storage provider and assume the name of a real company in the cloud storage industry.
The scammers then send out emails to tax professionals asking for credentials to access files, including usernames and passwords. Tax professionals who think they are dealing with a real cloud storage company comply.
Stealing email addresses
Once the scammers gain access to the cloud, they steal the email addresses of the tax professional’s clients. They then impersonate a particular tax professional by sending an email to clients with the subject line “urgent information.” The text of the message goes something like this:
“Dear Life Insurance Policy Owner
Kindly fill the form attached for your Life insurance or Annuity contract details and fax back to us for processing in order to avoid multiple (sic) tax bill (sic).”
Note the clumsy wording, which is often a tell-tale sign of a scam. If the victim complies with the request, the scammer has all the information he needs to impersonate the victim.
After assuming a stolen identity, the scammer can contact the victim’s insurance company and attempt to make a loan against their policy, or even make a withdrawal.
Complicated but highly effective
The IRS says the scheme is complicated, but it’s also highly effective and marks a departure from how many scams are carried out.
Instead of sending out millions of spam emails, the scammers target a specific, smaller number of tax professionals. If they compromise one individual, it is then much easier to compromise their clients, and the payoff can be enormous.
The IRS says tax professionals and their clients need to be on guard against this scam, noting that tax professionals should always directly verify any request for information from their cloud storage vendor.
Clients should also contact their tax professional directly to verify any request for information or to make sure any tax form that has been sent is legitimate.
The IRS says tax professionals who have fallen victim to this scheme should contact the IRS immediately through their Stakeholder Liaison. The agency has provided more information for tax professionals here.