IRS telephone scams, remote-working risks and VPNs for tax pros

Has this happened to you? A caller, claiming to be from the U.S. Internal Revenue Service (IRS), rings you in the middle of the day. Apparently, you need to settle a tax-related charge, or you’ll be taken to jail. You’re the target of a typical IRS telephone scam. (See Worried About the IRS Scam? Here’s How to Handle Phone Fraud, by Christine Hauser, The New York Times, July 26, 2018.)

Ways to identify IRS telephone scams

IRS telephone scams have been around for years. In a 2018 alert, the IRS informed taxpayers about ways to spot fraudulent telephone scams by fraudsters impersonating IRS officials.

The scam artists’ scripts vary, but they typically mention that the recipient of the call has a refund due or might threaten them by demanding money. Regardless of the script, the main intention of the scam is to get individuals to unload their personally identifiable information (PII) so the criminals can use it for fraudulent purposes. When the IRS wants to discuss personal tax issues, it doesn’t use email, text messages or any social media to contact taxpayers.

These spear-phishing IRS telephone scams can be convincing because the caller appears to know a lot about the individuals and they even change their caller IDs to appear legitimate. The scam artists might also use fake names and ID numbers, and leave supposedly urgent call-back numbers if the intended victims don’t answer the calls.

Here are five things the IRS will never do:

• Call you about taxes you owe without first mailing you an official notice.
• Demand you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
• Require you to use a specific payment method for your taxes, such as a prepaid debit card.
• Ask for credit or debit card numbers over the phone.
• Threaten to bring in local police or other law enforcement groups to arrest you for not paying.

The IRS offers this advice if you get a phone call supposedly from them requesting money:

• If you know or think you might owe taxes, call the IRS at 1-800-829-1040.
• If you know you don’t owe taxes, report the incident to the Treasury Inspector General for Tax Administration (TIGTA) at 1-800-366-4484 or at tigta.gov.
• If you’ve been targeted by this scam, also contact the Federal Trade Commission (FTC), and use its FTC Complaint Assistant at FTC.gov. Please add “IRS Telephone Scam” to the comments of your complaint.

To learn more about reporting tax scams, go to IRS.gov and type “scam” in the search boxes.

Be aware of the security risks of remote work

Organizations were caught off guard when the coronavirus struck and had to quickly pivot to remote working. The shift has created security threats and opened new opportunities for cybercriminals to gain access to important business resources, including money and PII.

Security firm Tanium surveyed 1,000 chief experience officers (CXOs) in the U.S., U.K., France and Germany between May 29 and June 6. Tanium produced a report that describes how IT leaders were surprised by the security threats and challenges they face from the COVID-19 pandemic. (See How IT leaders were unprepared for the security challenges posed by COVID-19, by Lance Whitney, TechRepublic, July 29.)

“The almost overnight transition to remote work forced changes for which many organizations were unprepared,” said Chris Hodson, Tanium’s chief information security officer, in a press release. “It may have started with saturated VPN [virtual private network] links and a struggle to remotely patch thousands of endpoints, but the rise in cyberattacks and critical vulnerabilities has made it apparent that we’re still far from an effective strategy for the new IT reality.

“Whether companies choose to permanently move their operations remote, return employees to the office, or some combination of both, one thing is clear: The edge is now distributed. IT leaders need to incorporate resilience into their distributed workforce infrastructure. A key part of this is making sure organizations have visibility of computing devices in their IT environment,” Hodson said. (Also see Edge computing: The cybersecurity risks you must consider, by Danny Palmer, ZDNet, Oct. 1, 2018.)

The report found that 22% of those surveyed pointed to overwhelmed IT capacity because of VPN requirements as a major challenge. VPNs that fail to work consistently impact the rollout of patches and force IT staffers to sidestep routing of employee traffic through their organization’s security measures.

The report also found that 88% felt ready to shift to fully remote workforces, and 96% admitted that they were caught off guard by the security challenges that emerged within the first two months of the lockdown.

Other report findings include:

• 27% cited the struggle to identify new personal computing devices on the network.
• 50% would return to normal by prohibiting personal devices on the network to reduce risks.
• 20% were concerned with increased security risk from video conferencing. In many cases, conferencing tools that are quickly adopted might not meet enterprise security standards. Zoom is one popular virtual meeting application that has been beset with critical security flaws.
• 88% mentioned a problem keeping devices updated with software patches.
• 43% said they had difficulty patching the personal devices of remote workers.
• 45% said they were able to scan and patch network devices but were unable to keep track of how many devices had been patched.
• 25% said finding and patching vulnerabilities has taken a backseat during the pandemic. Many deprioritized this task because of overloaded VPNs and a lack of visibility into endpoints.
• 93% of the respondents said they had to cancel or postpone certain security priorities to deal with the shift to remote working. The top two kinds of projects that have been canceled or delayed are identity and access management and security strategy.
• 85% said they have seen an increase in cyberattacks since the start of the pandemic. The most common types of attacks witnessed have involved data leaks, business email compromise (BEC) or transaction fraud, and phishing campaigns.
• 85% said they think the negative effects of operating during the pandemic will last at least three more months; 33% predicted it would linger for another six to 12 months.
• 70% said they will make cybersecurity the top priority for remote work. Some of the specific goals will be to meet compliance requirements, manage cyberrisk and balance risk with the privacy of employees.

Tax practitioners: get your VPN

In conjunction with the Security Summit, the IRS recently released important security tips for tax professionals to secure remote locations by using VPNs to help protect them from cybercriminals when considering teleworking.

The Security Summit is an awareness initiative comprised of members of the IRS, state tax agencies and the tax community, tax preparation firms, software developers, payroll and tax financial product processors, tax professional organizations and financial institutions.

Total membership includes 42 state agencies and 20 industry offices in addition to the IRS state tax agencies and the private sector tax industry. The mission is to combat tax refund fraud to protect U.S. taxpayers.

“For firms expanding telework options during this time, a virtual private network is a must have,” according to IRS Commissioner Chuck Rettig. “We continue to see tax pros fall victim to attacks every week. These networks are something you cannot afford to go without. The risk is real. Taking steps now can protect your clients and protect your businesses.”

A VPN provides an organization with an encrypted tunnel to move important information between the internet and an organization’s network. A VPN is extremely important to protect and secure internet connections.

If a tax professional decides to not use a VPN, they risk a remote takeover by cybercriminals, which gives them the opportunity to gain access to the office network and important client information that they can use for tax refund fraud, among other schemes.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also encourages organizations to use VPNs. CISA (March 13 alert) offers this advice:

• Update VPNs, network infrastructure devices and devices being used to remote into work environments with the latest software patches and security configurations.
• Alert employees to an expected increase in phishing attempts.
• Ensure information technology security personnel are prepared to ramp up these remote access cybersecurity tasks: log review, attack detection, and incident response and recovery.
• Implement multi-factor authentication on all VPN connections to increase security. If multi-factor is not implemented, require teleworkers to use strong passwords.
• Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications — such as rate limiting — to prioritize users that will require higher bandwidths.
• To help locate a legitimate VPN vendor, search “Best VPNs.”

Tax professionals also can learn about other security measures to secure important data:

• IRS Publication 4557, “Safeguarding Taxpayer Data” (PDF) and “Small Business Information Security: the Fundamentals” (PDF) by the National Institute of Standards and Technology (NIST).
• Publication 5293, “Data Security Resource Guide for Tax Professionals” (PDF) provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to “e-News for Tax Professionals” and social media or visit Identity Theft Central at IRS.gov/Identity-Theft-Central.

Contact me

Include these scams and important information to protect your online identity in your outreach programs and with your family, friends and business associates.

As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you need help on or you’d like me to research and possibly include in future columns or as feature articles. I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is a professor of accounting and research at a university in the U.S. Northwest. He’s a member of the Accounting Council for the Gerson Lehrman Group, a research consulting organization and is a member of the White Collar Crime Research Consortium Advisory Council. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.