Small Business Taxes & Management

Special Report

Be Alert to Account Takeover Tactics


Small Business Taxes & ManagementTM--Copyright 2017, A/N Group, Inc.


The IRS, state tax agencies and the tax industry are again warning tax professionals that account takeovers by cybercriminals are on the rise and practitioners increasingly are the targets. While this information is aimed at tax professionals, much of the advice applies to any individual or business.

Account takeovers occur when a thief manages to steal or guess the username and password of a tax professional, enabling access of their computers or their other online accounts. With these credentials, thieves can, for example, access a tax professional’s IRS e-Services account to steal their Electronic Filing Identification Number (EFIN) or access tax pro software account to obtain critical taxpayer information.

Increasing awareness about account takeovers is part of the “Don’t Take the Bait” campaign aimed at tax professionals. This is the second part of a special 10-week series aimed at increasing security awareness in the tax community. It is part of the Protect Your Clients; Protect Yourself effort. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to learn to protect themselves from account takeovers.

Tax professionals and taxpayers are among a larger set of groups that face increased threats from account takeovers.

Javelin Strategy and Research conducts an annual identity fraud report. In 2017, it reported a surge in account takeover incidents nationwide--generally aimed at financial accounts--after years of decline. There was a 31 percent increase in the number of incidents for 2016 from 2015.

Account takeovers are a common source of data breaches of taxpayer data, leading to fraudulent tax filings for individuals and for businesses. Account takeovers are often the result of spear phishing emails specifically targeting the tax community. See last week’s “Don’t Take the Bait” news release for information about spear phishing.

Here’s how account takeovers work: Thieves do their homework; perusing web sites and social media for clues about tax preparer’s email addresses and business activities. Then, they pose as a familiar organization, for example, IRS e-Services or a private-sector tax pro software provider by sending a spear phishing email that appears similar to the IRS or the software provider. They may even pose as another tax professional, a familiar bank or, increasingly, a cloud-based storage provider.

Often, the email seems urgent with descriptions like: “Avoid Account Shutdown” or “Unlock Your Account Now.” The email includes a disguised link that may take users to a page that looks like the login pages for IRS e-Services or a tax preparation software provider.

Alternatively, the email link or attachment may load malware onto computers to capture keystrokes, eventually giving the thieves access to user credentials when users log into their accounts. The thieves may pose as a potential client, emailing an attachment that claims to contain tax information but is really infected with keystroke logging malware.

The email claims to be from “IRS E Services,” slightly off from the official IRS e-Services name. Also, IRS e-Services does not send emails except through the Quick Alerts system. Note the “Account Closure Now!” subject line to instill urgency, as does the “update now” link.

Tax professionals should hover their cursors over a suspicious link to see the destination, which may be a URL like:;; or, as opposed to an actual URL. The suspicious link takes the practitioner to a website designed to appear as the actual e-Services login page.

Once a thief obtains a tax pro’s credentials, they immediately can access accounts and steal EFIN, which they can use either to file fraudulent tax returns or sell to other criminals who could file fraudulent tax returns. They may also use a Power of Attorney and Centralized Authorization File (CAF) number, allowing them to access clients’ transcripts. Those who reuse usernames and passwords for multiple online accounts--as many people do--may find the thief has accessed those accounts as well.


Protecting Clients and Businesses from Account Takeovers

Identity thieves have many schemes to steal login credentials. A common tactic is to use a spear phishing email that targets tax professionals. Here are a few steps to protect clients and business accounts:


Copyright 2017 by A/N Group, Inc. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is distributed with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional should be sought. The information is not necessarily a complete summary of all materials on the subject. Copyright is not claimed on material from U.S. Government sources.--ISSN 1089-1536

Return to Home Page

--Last Update 07/20/17