Another twist on the old phishing schemes. This one has been directed at CPA during the tax season but similar schemes have been used to gather information from attorneys, insurance agents, mortgage brokers, real estate agents, and other professionals.
This email appears to come from a client or a potential new client. In the email example above the email appears to be coming from Kevin Miller, who is asking for me to do his taxes. Since I do not do taxes and in no way, advertise for tax clients, the email is suspect on its surface, but let’s dissect it a bit further.
First would you accept a new client with no contact information except an aol.com email address? Second, why would a client send you their tax information without first discussing fees? Third, why would a client use a tinyurl to send their tax information. I think everyone realizes that if you click on the link you will be downloading malware onto your computer.
There are several internal controls a firm can implement to protect themselves from this type of fraud:
- Train employees to identify suspicious emails and not to click on links on those emails
- Make sure that you speak with a client on the phone before accepting electronic documents
- Never open links for documents from a client unless you have a retainer or advance fee
- Have good antivirus, antimalware, and antiransomware software on your system
- Make sure your antivirus, antimalware, and antiransomware is up to date
- Forward the email or the URL of the website to the IRS at email@example.com.
For more information review IR-2017-03 which can be viewed at