Vermont tax practitioner: IRS putting tax professionals at risk of cybercrime

By Michael Bielawski and Bruce Parker

The IRS is warning tax professionals that email-based phishing scams are putting their business and client data at risk, but a tax preparer in Vermont says the IRS is to blame.

Wikimedia Commons

The IRS says about 175 security breaches have occurred among private tax businesses this year as a result of targeted email phishing scams.

An Aug. 4 alert sent to tax preparers says a new email scam is “impersonating tax software providers and attempting to steal usernames and passwords.”

The alert comes at a time of year when tax preparers are making software upgrades and working to meet the Oct. 15 deadline for late tax filers. The alert advises tax services to enact strong security measures “to protect their clients and protect their business.”

But Steve Cairns, owner of Advisor Tax Services, in Stowe, sees an irony in the IRS warning. He says changes to IRS guidelines made business email addresses and other data available to cybercriminals in the first place.

“The IRS admits that, ‘Oh, by the way, we release your email address to the general public because we are required to by FOIA’,” Cairns said.

When Cairns first enrolled as a tax agent in 2005, the IRS didn’t require tax services to provide business or client email addresses. But in 2011 the revenue service created a practitioner identification system that required anyone preparing a tax return to provide those email addresses.

As a result, anyone, including hackers, can use Freedom of Information Act requests to access those addresses. Moreover, due to the FOIA Improvement Act of 2016, the IRS must now make public any agency-held information that was requested three or more times. Cairns says that’s a lot of sensitive information.

To comply with FOIA law, the IRS provides lists of PTIN (Preparer Tax Identification Number) holders and enrolled agents to any interested party via CD-ROM for a $35 fee. The information is also available at the IRS.gov website, according to Cairns.

“I do not work for the government, I’m not paid by the government, and yet the government is violating my privacy because they have determined that my email addresses are public,” Cairns said. “I find that to be extraordinary.”

According to the IRS alert, scammers are contacting tax pros by email and impersonating legitimate tax software providers. They cite the need for an “Important Software System Upgrade,” and thank recipients for trusting the software provider to serve their needs.

Tax professionals are then directed to decoy sites that mimic legitimate tax software companies, and are asked to revalidate their login credentials, sending the data straight into the hands of cybercriminals.

“Instead of upgrading software, the tax professionals are providing their information to cybercriminals who use the stolen credentials to access the preparers’ accounts and to steal client information,” the IRS warning states.

Cairns said the IRS admits 175 security breaches have taken place just this year. He said tax services may have to spend hundreds of thousands of dollars to recover after falling prey to phishing scams. He added that the revenue service refuses to delete business and client email addresses.

“I requested that they delete my email address, and I had gotten a nice letter back stating that they can’t do that because of FOIA,” he said. “It didn’t take much smarts to figure out that this was dangerous as hell.

“The implication is that we have to do everything to protect our client’s data, which on the surface makes a lot of sense, except that the IRS is working against us,” Cairns said of the numerous IRS warnings.

A second warning sent out on Aug. 8 indicates that many tax services are being hit by the scams.

“Multiple incidents have been reported to the IRS in the past year as tax professionals’ systems have been secretly infiltrated. The criminals accessed client tax returns, completed those returns, e-filed them and secretly directed refunds to their own accounts,” the alert states.

Frustrated with the federal government, Cairns reached out to Sen. Patrick Leahy, D-Vt., for help. He says Leahy’s office knows about the problem, but has not taken action to protect the email addresses from public access.

An email exchange between a representative of Leahy’s office and the IRS government liaison shows that tax professionals are currently trapped by the FOIA Act of 2016. Asked by Leahy’s office if the agency had considered an “opt-out” option for email addresses or discussed the security ramifications of the policy, the IRS liaison replied, “FOIA laws do not allow people to opt out of having their information included. … We have no authority not to comply with the FOIA Act of 2016.”

Cairns said he doesn’t believe the IRS is acting with malicious intent. Instead, he thinks the agency is inadvertently exposing an entire industry to cybercriminals.

“No, I think they are incredibly naïve and stupid,” he said. “And it’s in the interest of the IRS to stop it.”

Michael Bielawski is a reporter for True North Reports. Send him news tips at bielawski82@yahoo.com and follow him on Twitter @TrueNorth82X.

3 thoughts on “Vermont tax practitioner: IRS putting tax professionals at risk of cybercrime

  1. Hi Jon,

    I did the former when IRS started releasing our email addresses to the public 5 years ago. I am now doing the latter at increased expenditure of time and money. My concern is our rights as citizens. I do not know of any other publicly available database of information for an ENTIRE industry. The current database on IRS.gov contains almost 700,000 entries. When did the Congress determine that our email addresses are public information under FOIA ? Answer is they didn’t.

    • Fully understand your dilemma – unfortunately, until if affects a member of Congress personally, all we can do is seek a work-around. If the box wants an email address – give them one. Now that we know what they do with them, make it up.

  2. If I was in the position these tax professionals find themselves, I would create a new email address and put it on a stand-alone system solely to comply with IRS regulations. Anything coming to that address would then be suspect. Cheaper than dealing with stolen client information.

Leave a Reply

Your email address will not be published. Required fields are marked *