Why We Won’t Open Your Attachment or Click on Your Link

Dear Geoffrey,
I am attaching a PDF with my W2 information for my tax return.

Dear Sterck Kulik O’Neill,
Can you tell me how much it would cost for you to do my tax return. I am sending a PDF copy of last year’s return with this email.

Hey, Charles. I have uploaded my tax information to http://bit.ly/my2017taxinformation .

A few times a month we get messages inviting us to open an attachment to an email or to click on a link where we are supposed to get information a client (or prospective client) has sent us.

We don’t click to open or follow! Even when the messages come from an email address of a client we know.

Few of the messages we get out of the blue — from people we know and from people we don’t know — are legitimate! They are Spear Phishing attempts. Spear Phishing attackBad guys stuff malicious software in the PDF they are attaching in the hopes that our anti-virus software is weak or out of date. Or, they set up a web page that tries to download evil code to infect our computers, probably when we think we’re clicking to download the promised information.

They can address us by name by picking off our identities and email addresses off the Internet. They can pretend their clients of ours because they’ve broken into a client’s computer and are accessing their list of contacts.

These guys know their business and are hoping that someone will let their guard down for just a minute! And, the busy tax season time, CPAs are distracted. We are much more likely to CLICK without thinking.

But, so far, no one in our office has succumbed to the temptation to click. We keep telling ourselves that our clients know not to send sensitive information by email —  the data could be read and the ripped off by someone monitoring along the way. Moreover, we provide our clients with a secure portal to upload and download their information.

So, if you send us an email message that suggests we open an attachment or visit a link, we won’t click! (Really, we will try very hard not to click!)

Usually we don’t even respond to emails we think might possibly be from scammers. If the message is from a client, we may call and see if they really sent the message or suggest that their email has been hacked.

Of course, you should not email your social security number, private financial information, or even credit card numbers to anyone as a normal Word document, PDF, or plain text. It’s just too easy for a bad guy to monitor the Internet and help himself to your private info.

But, even if you’re willing to take the risk of identify theft by mailing your tax return to us, to your mortgage broker, or to your attorney, a smart person won’t open the document unless you’ve just talked to them and told them what is coming. (And, when you give your notification, they should tell you to use a secure transfer method!)

So, use our portal to send information or contact for other ways to get delicate data to us!

Phony Treasury Agents are Calling YOU!

Tax Collection Scam warning posterThey’re back!!!!!

Last week’s message on my cell was an automated voice from the “legal department at the US Treasury” demanding that I call them about my tax fraud that they were investigating.

We’d hoped that the recent bust in India of a guy suspected of running a swindling call center that made similar calls would stop the crooks for a while.  (Story on the alleged crook’s arrest.)

The recorded messages is so poorly made that most people would suspect that it’s a fake.

Give it a listen!

The bad recording is good technique, though. Anyone scared enough or ignorant enough to think the recording is really from the government is a better than average mark for the crooks.

In case you have any doubt about this recording — or about a more professional-sounding call, either live or recorded — the Treasury Department does not call anyone about taxes due. The Internal Revenue Service (IRS), the actual tax collection agency, does not call anyone about taxes due. They also don’t email you threatens about overdue taxes!

The IRS will send you a notice via the United States Postal Service.  That is how you learn that the government is questioning something in your return. And, the conversation never starts out threatening you with jail!


They’re Not from the Government, and They’re Not Here to Help

Sometimes people don’t file their taxes and ignore the tax collector’s notices. To get your attention, the government will create a wildly high estimated tax bill and put a lien on your property.

When we are contacted by clients who have had liens put against them, they are horrified. They were busy, their finances were too complicated that year, or they were worried about the size of what they might owe and they just couldn’t get themselves to deal with the problem.

We — and most reputable accounting firms – can resolve the non-filing complaint, adjust the tax bill, and, if needed, work out a payment plan for the taxes.  The steps to resolution are low-key, routine, and straight forward.

  • First, we help you file your taxes for the year in question.
  • The lien against your assets will be lifted when you pay the new, and probably much lower, tax bill.

Clearing up the problem isn’t painless.  You’ll have to pay for the taxes owed on your actual income, penalties, interest, and for the tax preparation. Ouch! But, the path to fixing the problem is clear and relatively drama free.

Unfortunately, we have discovered a vulture industry that goes after taxpayers who have trouble with the IRS or state tax collectors.  A client shared with us the blizzard of come-ons he received once the tax lien against him was recorded and made part of the public record.

Scam Notice Square Collage
Sample of Notices Received. Click to see more.

These notices mimic official government notices — they’re not!  

They are designed to get scared taxpayers to call a phone number without thinking about who they will be talking to.

The language and style they all use is designed to trick you into believing you’ll be talking directly to the government.

The language each of these companies use is remarkably similar. Everything is URGENT, or FINAL.  Several of the notices give a made-up case or file number… a number that has nothing to do with what the real tax collectors are using.  One company says that they’ll get the $377,548 tax bill reduced to $79,509.60… another suggests if you work with them the final bill will be $18,499.85. The warn, if you don’t respond to their notice, your wages will be garnished and bank accounts seized.  (See a larger photo of the frightening notices this one client received.)

A couple letters say that they are from government-sounding organizations such as “The Taxing Authority” or “Tax Group”.  Others don’t tell you who the letter is from… you’re supposed to assume that it’s from the government. A couple even came in envelopes with the official-sounding warning:

$2,000 Fine or 5 Yrs. imprisonment or both for any person who interferes with or obstructs the delivery of this letter or otherwise violates Sec. 18 United States Code 1702.

Doesn’t this warning apply to all mail tampering?!

Some — but not all — of the letters say that they are NOT from an official government agency.  But, those disclaimers are in small type and designed to be overlooked.

We don’t know how any of the companies who send the breathless, fear-mongering notices plan to help solve the taxpayers problem.  But, we really don’t like the attempt to trick people into thinking that they are dealing with a government agency when they are not.

Our advice to people who receive tax notices or who have tax liens placed against their assets: call us or another professional tax preparer who doesn’t try to get new clients by tricking them or making them crazy frightened!



Why the IRS Hack Wasn’t all the IRS’s Fault

Goofy looking man
This taxpayer helped crooks download his tax return

The people that broke into the IRS website last week and downloaded the 100,000 returns had help from their victims.

The IRS had set up questions designed to ensure that only the taxpayer obtained access to the stored tax form. Some of the information the IRS asked for (birth date, street address) can be gathered from other government sites. In addition, the IRS says it asked, “several personal identity verification questions that typically are only known by the taxpayer.” (See the IRS statement)

Posts to social media may have given the hackers some of these answers (such as marital status). Other answers could be guessed or copied from other web sites the bad guys had gotten into.

The IRS has not released the list of additional validation tests it made, but we have two immediate suggestions:

  1. Review the information you’ve posted about yourself on Facebook, Twitter, and other social media sites.  Think like a crook. Have you published enough information for a evil doer to be able to answer the security questions websites typically ask for when you’re asking to reset your password?

    If so, remove some of the information or change who can see all of your information.

  2. When a website asks for your favorite color, food, or first pet’s name, don’t tell the truth!  Make up a nonsense answer like “Swablar”  that you will remember but cannot be guessed or found associated with you anywhere online.

We’ve read articles saying that those validation questions asked by sites are dangerous because so many of the responses (pet’s name, high school, first boy/girlfriend) can be either found on Facebook or on other public sites.

Other answers are so common that thieves can get authenticated by simply typing in the most popular responses. We’ve seen articles that said “pizza” is the favorite food of a majority of Americans, so even if pizza is your favorite food, answer “Swablar”.  I don’t even know if a “Swablar” is edible, but it’s not likely to be guessed by a crook!

In addition, when you participate in a meme on Facebook or another site that says it’s going to tell you what city you should live in, what religion you should be, or what celebrity you are like, be careful!  Are you typing answers to any of your security questions on another site?  Who is running the meme anyway?

Finally, although this week’s IRS hack doesn’t seem to involve weak passwords, please consider switching to a password vault application like Lastpass.  These apps remember your passwords and will generate difficult-to-crack gibberish passwords which will keep you safe(r).  (For more on Lastpass, read a posting made after the 2014 Kickstarter hack.)

Disturbingly Good Phony Email!

It’s tax season, and you expect to receive messages from your accountant about your finances. But, beware!

Scammers trying to get you to click on a link to download evil programs that run on your computer are ready to take advantage of your anxiety over taxes!  Be especially careful of emails that are supposedly from us or other tax preparers.

This weekend we received the first message in a very, very frightening string of emails designed to get us to click on a link to a website where a damaging program awaited us. We did not go to the website. But, if we had, our computer, our online activity, and our contact lists would all have been at the mercy of some sophisticated bad guys.

Here’s what happened to us.

Saturday we received an email from another local CPA.  The message looked like this, except I’ve substituted a pseudonym for the real CPA and used our firm’s email address and contact information instead of hers.

From: Sally Smith [mailto:[email protected]]
Sent: Saturday, March 21, 2015 5:27 PM
Subject: Important document

Please see the attached file for your review.

Thank you,

What we didn’t notice in the email was that the return email address was [email protected]cap.com and not [email protected]cpa.com.  But, doesn’t the message look like something your accountant might send you talking about your taxes?

We are suspicious people, so although we knew the CPA who sent us the email, we hadn’t talked to her recently and wondered why she had sent us a link for a document.  We replied to her email and asked her.

Hi Sally,
I wasn’t expecting an email from you. Please let me know if you intended me to get this and what it is.

Galen Workman
Sterck Kulik O’Neill accounting group, inc.

But, remember, the email address had been doctored from [email protected] to [email protected]  So when we replied, our message went to the bad guys.

And, the bad guys responded!

From: Sally Smith [mailto:[email protected]]
Sent: Monday, March 23, 2015 9:26 AM
To: Galen Workman
Subject: Re: FW: Virus?

Not a virus.

Sally Smith, CPA EA

Enrolled to Practice and Represent Taxpayers Before the IRS
150 Post Street, Suite 350 San Francisco, CA  94108
Phone: (415) 433-4500
Fax: (415) 433-4765
E-mail: [email protected]

This time, not only did the bad guys reassure me that their email was “not a virus” they also included Sally’s signature block to make the email look even more legitimate.

The email still smelt bad, so we really looked at it.  This time we noticed that the messages were coming to/from [email protected]cap.com instead of [email protected]

We called Sally, and she said she knew that her email system had been hacked.  The same message we received went to all of her clients, and she was emailing them about the scam.  When we told her about the reply we got to our emailed question and the slightly different domain name (cap vs. cpa), she was horrified.

The bogus domain name is registered at GoDaddy, just as her legitimate domain name and site. When I looked up the IP address for the bogus domain, the crooks’ website appears to be hosted at GoDaddy, too.  So, the crooks are apparently using a well-known American domain name registrar and hosting service.

Wow!  What guts.

Malware Word CollageProtect Yourself!

  • Don’t open attachments or click on links in emails, unless you’re expecting something from the sender.
  • Verify that email that looks like it’s coming from someone you know, really is coming from someone you know!  Do that by carefully reading the return email address.  And hover your cursor above any links in an email to see where the link is really sending you.

    I can create a link that says www.Google.com, but really sends you somewhere else.  Hover the cursor over the link before clicking to see the real destination.  In an email the real destination appears over the link.  On a webpage like this one, the real destination will appear somewhere discreet, usually at the bottom of your screen.)

When in doubt, don’t click!  Pick up the phone and call the sender!