It’s tax season and the phishing is … easy? Unfortunately, yes, it is. Despite all the warnings about fraud at this time of year, the IRS still reports phishing as the number one tax scam that many people – including accounting firm clients – fall victim to.
As your clients’ trusted advisor, you can help them understand and mitigate the risks of tax season phishing scams, starting with these four tips:
1. Educate your clients about what phishing is. Some of your clients may be well aware of what phishing is, but some may not. Regardless of their level of online sophistication, the IRS recently warned that the new breed of phishing schemes can confuse even the most cautious and experienced taxpayer. As such, when your firm sends out tax season reminders and other communications, be sure to include a definition of what phishing is and how your clients can avoid being a victim of this type of fraud.
You can save time by using this definition of phishing, from a recent post on the SmartVault blog: “Phishing (pronounced “fishing”) is a form of social engineering that happens online. Phishers, also known as hackers, use many different techniques to try to fool people into providing their credentials, credit cards or other sensitive information.”
2. Make sure your clients know how to identify and avoid a phishing scam. With the level of sophistication rising in phishing schemes, it is important to remind your clients of what red flags to look for. For example, remind your clients of the following when it comes to email phishing schemes:
- Criminals may pose as a person or organization that they are familiar with.
- A “phisher” may hack an email account of someone they know and send mass emails under that person’s name.
- Data thieves may pose as financial institutions, credit card companies, the IRS or other government agencies, or even tax companies.
- Many of the emails used in phishing scams look very real, so clients should be advised to double check whether sending addresses match the “from” name in emails, and whether the sender’s email address matches the domain or organization that the email purports to be from.
- “Too good to be true” and urgent offers are often used, so being cautious and wary of any email containing these kind of messages is key.
Since phishing schemes can take on so many forms, it is also important to let your clients know how your firm will be communicating with them and how you will be asking them to provide you with the information you need to prepare their returns. Don’t limit your communication only to individual clients; remember, businesses are also targets of phishing schemes and likely to be very receptive to any support you can give them to help mitigate their cybersecurity risks.
3. Let clients know how you are helping to protect their sensitive information. Your clients may be quite nervous about the potential for phishing scams, particularly at this time of year when the media is full of stories about data breaches and identity theft. This is a great time to remind your clients of how your firm is not only helping to keep their data safe and secure, but also committed to protecting clients’ sensitive information during tax season and beyond.
In addition to explaining how you store, secure and exchange tax documentation, make sure that your clients know the information security protocols that you use internally with your employees, and within your workflow, to give them peace of mind and instill further confidence in your firm.
4. Provide your clients with easy, do-it-yourself safeguards. There’s no doubt that your clients will look to your firm to take the lead when it comes to helping them protect the data used to file their tax returns. However, your clients should also know that they have a responsibility to do their part in keeping scammers at bay. Here are some easy safeguards you can educate your clients about that they can proactively implement to reduce the chance of being a phishing victim:
- Avoiding the use of email to transmit sensitive information and, instead, using the secure tools provided by your firm, such as client portals, collaborative document sharing platforms and cloud-based data storage.
- Deleting suspicious emails.
- Not clicking on email links or opening attachments if something seems “phishy,” or otherwise unsafe.
- Changing their email and computer passwords often, and not sharing them with others.
Tax season scams are unfortunate, but they also present an opportunity for your firm to further its position as your clients’ trusted advisor by proactively helping them to avoid taking the bait when confronted with phishing scams and reinforcing your firm’s dedication to information security.
By Larry Gutierrez,, CISSP. With more than 15 years’ experience in the control and compliance software industry, Larry leads SmartVault’s compliance division. Prior to his career in private industry, he served as an officer in the U.S. Navy and worked for several software security, and oil and gas companies. Larry earned a Bachelor of Science degree from Texas A&M University, Corpus Christi, and is a Certified Information Systems Security Professional (CISSP).
This article originally appeared on Firm of the Future Blog and was repurposed with permission.
Firm of the Future provides expert advice and next steps for today’s accountants.