The U.S. Internal Revenue Service has issued an urgent warning concerning a phishing scam that seeks to steal Electronic Filing Identification Numbers.

The scam, which emerged just before the tax filing season began Feb. 12, involves emails that impersonate the IRS with a subject line “verifying your EFIN before e-filing.” The text of the email asks tax preparers to email copies of the EFIN verification and driver’s license with a fake warning that if they do not comply, their ability to file tax documents electronically will be disabled.

In the event that victims fall for the scam, the information obtained can be used to illegally file tax returns for refunded by impersonating the victim.

“Tax professionals who received the scam should save the email as a file and then send it as an attachment to phishing@irs.gov,” the IRS advised in the Feb. 10 notice. “They also should notify the Treasury Inspector General for Tax Administration… to report the IRS impersonation scam.”

Although IRS impersonation scams are not new, there’s a COVID-19 pandemic angle to the current phishing campaign. “Some thieves also pose as potential clients, an especially effective scam currently because there are so many remote transactions during the pandemic,” the IRS explains. “The thief may interact repeatedly with a tax professional and then send an email with an attachment that claims to be their tax information.”

Tax scams are “as inevitable as paying taxes,” Erich Kron, security awareness advocate at security awareness and training firm KnowBe4 Inc., told SiliconANGLE.

“These scams use a multitude of scenarios that individuals and organizations face each year, as they work through the often confusing, stressful and frustrating task of figuring out how much they will owe or will get refunded, by the government,” Kron explained. “This stress and confusion only serve to make the scammers’ job easier.”

And tax-themed phishing attacks are a powerful tool for cybercriminals to steal sensitive information such as social security numbers or bank account information, redirect payments or steal credentials that will allow them to file fake tax returns, Kron added. “To defend against these scams, educating people about the types of scams occurring and the red flags, such as links that go to different websites when you hover over them, unexpected requests for sensitive information such as login information or social security numbers, is critical,” he said.

Photo: MBisanz/Wikimedia Commons