Tax professionals should be on high alert for a new wave of phishing emails masquerading as potential clients seeking tax preparation services. These deceptive messages typically come from mismatched email addresses, provide minimal contact information, and are signed with only a first name. The scammers aim to establish communication with tax preparers, ultimately attempting to trick them into clicking malicious links or sharing access to secure document portals.
To protect yourself and your practice, implement a strict new client verification process that includes phone consultations and formal identification before sharing any sensitive information or portal access. Never click links or download attachments from unverified senders, and consider establishing a standardized intake process that requires potential clients to initiate services through your firm's website or office phone number. Remember: legitimate new clients will understand and appreciate your commitment to security.
What is Spear Phishing?
This type of targeted attack is known as "spear phishing," or more specifically, "Business Email Compromise" (BEC) when targeting professional services. Unlike traditional phishing attempts that cast a wide net with generic messages, spear phishing involves carefully researched, highly targeted communications aimed at specific professionals or organizations.
Why Tax Professionals Are Targeted
Tax preparers are particularly valuable targets due to their access to sensitive financial information and tax filing systems. The FBI and IRS have issued specific warnings about these attacks, as criminals recognize the potential value of compromising a tax professional's systems. The timing of these attacks often aligns strategically with tax season or preparation periods, when professionals expect to receive new client inquiries.
The Sophisticated Approach
What makes this attack notably sophisticated is its patient, methodical approach. Rather than immediately attempting to deploy malware or gain system access, these attackers first aim to establish a seemingly legitimate business relationship. They demonstrate knowledge of industry terminology, standard business processes, and professional norms. In this case, the attacker shows familiarity with tax preparation workflows, client intake procedures, and common practices like reviewing previous years' returns.
The End Game
The ultimate goal of these attacks is typically to either deliver malware through document sharing, gain access to client portals, or extract sensitive information that can be used for identity theft or financial fraud. By first establishing trust and legitimacy, attackers increase their chances of success when they eventually deploy their actual attack. This patient approach makes spear phishing particularly dangerous and difficult to detect without proper awareness and verification procedures.
I hope this message finds you well and that you had a wonderful Thanksgiving. My name is
Sarah, and I am reaching out to inquire about your services for preparing individual tax returns for the 2024 tax year.
🚩 Only first name provided, no last name or contact details
As a new client, I would greatly appreciate the opportunity to discuss how you can assist me with my tax filing needs. To provide some context, I am seeking professional assistance to ensure that my tax return is filed accurately and efficiently. My previous tax preparer has retired and discontinued their practice, prompting me to seek a new professional to handle my taxes moving forward. Could you kindly confirm if you are currently accepting new clients for the 2024 tax season? If so, I would appreciate guidance on the next steps to get started. Additionally, I would like to know which documents or information you require to facilitate a smooth and seamless process.
I am happy to provide a copy of my 2023 tax filing for your review if that would be helpful.
🚩 Early attempt to share documents
Thank you in advance for your time and assistance. I look forward to the possibility of working with you. Best regards, Sarah