Bloomberg Tax
March 24, 2023, 8:45 AM

Tax Pros and Their Clients Can Be Targets of ‘Vishing’ Scams

John Wilson
John Wilson

As a tax professional, you maintain and have access to a wealth of sensitive information about your clients. Crafty scammers would love to talk you into sharing it.

Enter vishing campaigns.

You’re no doubt familiar with email phishing, the unsolicited messages offering loans, antivirus software, and pharmaceuticals that lead to credential-skimming websites and spyware-laden attachments. Vishing is the phone-based version, where someone calls out of the blue and asks you to divulge sensitive information they can use for financial gain.

‘Tis the Season for Tax Scams

Tax scams happen year-round, but they’re most popular during tax season. The IRS has issued warnings about the dangers of vishing and phishing in its annual alerts. In 2020, the agency received 400 vishing complaints. In 2021, the FBI’s Internet Crime Complaint Center reported receiving nearly 324,000 vishing and related complaints, totaling $44 million in losses.

Cybercrime has evolved from low-level hacks and “script kiddies” flaunting their coding prowess to state-sponsored entities with resources, expertise—and patience. It’s not just bits and bytes they know how to manipulate. Today’s attackers have perfected psychological tactics to go after victims in very personal ways.

This is called social engineering. The goal is to dupe targets into feeling like they’re helping the caller by providing information. Or perhaps the victim thinks they’ll lose their job if they don’t act.

These campaigns are often sophisticated. Fraudsters will work together to build layered attacks, adding plausibility with convincing details found in social media posts and dark web files. They view potential payouts as worth their while and can devote the time and people to the campaign.

Vishing Scams to Watch Out For

Tax professionals can be verbally breached when tricked into thinking they’re acting on behalf of their client. As caller IDs, websites, and email addresses can all be spoofed, these inquiries usually appear legitimate at first blush. Here are some examples:

New client call. Someone may call looking for a tax professional and will send an email containing relevant attachments to follow up. The email could launch malware or ransomware if the link is clicked.

Existing client call. A scammer could see on social media that a client mentioned your firm as its tax preparer. They could pretend to be that client, calling to verify some information on their return. Depending on what details the scammer has already assembled from the dark web, they could file a return in one of your client’s names if they can pair the Social Security Number they’ve pilfered with a few relevant details they can get you to provide.

IRS agent. A caller with a Washington, D.C.-area caller ID wants to talk through a supposed issue with a recently filed return, or they may ask for your filing PIN.

Software vendor. Scammers claiming to represent your electronic return originator or other solution may call for access to your system to update the software or patch a vulnerability. This is a ploy to either lock you out of your computer or access and copy sensitive files. If they can collect your credentials, this becomes even easier.

Business Email Compromise and Ransomware

Vishing and phishing campaigns often go hand-in-hand.

Business email compromise schemes. Threat actors will impersonate a company executive using a spoofed or lookalike email address for requests such as wiring funds or sending spreadsheets containing client data. They will typically use authority and urgency to get the target to act quickly. The Internet Crime Complaint Center received nearly 20,000 of these complaints in 2021 and adjusted losses totaled close to $2.4 billion.

Ransomware attacks. These often start with vishing calls or phishing emails that contain an attachment or link. If clicked, these will download malicious software onto the user’s computer that can ultimately lock down that device and/or the entire corporate network until the ransom is paid. Even if access is restored, the criminals likely will have copied sensitive files.

Tactics for Protecting Yourself and Your Clients

While it can seem difficult to combat scammers, there are numerous defenses you can use.

Awareness training. Educate your employees on how to detect and handle vishing and phishing campaigns with simulation programs. Help them understand what types of requests are red flags and what to do if they think they’ve been compromised.

Trust your sixth sense. If something seems off in an interaction with someone you don’t know, don’t share information and hang up. This is particularly important for last-minute or urgent requests.

Review data/system access and permissions. Consider who has access to what within your organization, especially when it comes to newer employees. Not every employee needs full access to every file or database. This is known as “least privilege,” and it can limit the damage done if an employee is tricked into clicking a malicious link or attachment.

Maintain security best practices. Antivirus software, use of virtual private networks, and multi-factor authentication are great steps toward preventing breaches and data loss.

Avoid public Wi-Fi when accessing client files. Scammers can set up hotspots that look like legitimate public network options and capture login credentials and more. You can eliminate this risk by using a VPN whenever you are on public Wi-Fi.

Call back using existing contact information. If you’re unsure a caller is a current client or software vendor, use contact details from your own files or a trusted website to call them back—not the number the caller gives you.

Use IRS Identity Protection PINs. Encourage your clients to use these safeguards to access previous returns or file new ones.

Turn on Windows file extensions. By default, Windows doesn’t show file extensions. Scammers know this and will send executable files that appear to be PDFs, .txt files, or Excel documents when they’re actually malware or ransomware.

Report scams: If you suspect vishing, capture the phone number and report it to the US Treasury Inspector General for Tax Administration.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

John Wilson is a senior fellow responsible for threat research at Fortra, where he heads up the Agari Cyber Intelligence Division. He researches business email compromise scams and conducts “active defense” engagements with threat actors.

We’d love to hear your smart, original take: Write for us.

Learn more about Bloomberg Tax or Log In to keep reading:

Learn About Bloomberg Tax

From research to software to news, find what you need to stay ahead.

Already a subscriber?

Log in to keep reading or access research tools.