How to Protect Your Firm From the “New Client Scam” Targeting Tax Pros

Each year, it seems like fraudsters find new, creative ways to try and scam accountants and their clients out of their refunds, financial information, and, well, whatever they can get their hands on. And this year is no different: Before the tax season even started, the IRS reported an increase in a worrisome new scam.

“New Client Scam” Targets Tax Pros

Here’s what it entails: A cybercriminal posing as a new client (hence the Internal Revenue Service’s term, “new client scam”) sends an innocuous-sounding email to a tax professional that either requests help with their taxes or asks if they’re taking on new clients—or some variation of one of these. The email, however, is anything but harmless.

It’s intended to open the door to a second email—sent once the CPA or tax pro responds—that contains a malicious link or attachment. If the CPA or tax pro clicks that link, it will download malware onto the accountant’s computer, letting the cybercriminal access the accountant’s system and get sensitive personal and financial client data.

Some of these emails will be more obvious than others. Red flags to watch out for include oddly phrased sentences and awkward word usage. Unfortunately, scammers are getting craftier, and you can’t rely on these warning signs alone and assume all well-worded emails are safe.

Some of them don’t contain any grammatical or spelling errors at all. And, fraudsters are stealing legitimate email addresses and using these to worm their way in under an accounting professional’s radar. The email addresses might even be those of friends and colleagues whose accounts were compromised.

3 Ways to Keep Client Data Safe from the “New Client” Scam

At this point, you’re likely asking yourself, “Well, how am I supposed to figure out what’s a phishing email or not if the red flags might not be there and it looks legitimate?”

Don’t worry: You’re not alone. And, there’s good news. Following cybersecurity best practices will help safeguard your tax practice. Let’s review some things to help you battle this new cyber threat.

1. Verify any prospective new clients’ identities first.
   When you get an email purporting to be from a new client, verify their identity first before you do anything else. Don’t do this by replying to the email or by calling the number the individual provides in the email. Instead, find the person’s contact information online and contact them to confirm they reached out to you. This could be as simple as finding the person’s LinkedIn account and sending them a direct message. This will save you a lot of grief and help protect you from falling into a clever trap.
2. If your data is breached, report it—fast.
   If one of these or a different phishing email gets past you and your system is breached, don’t keep it a secret. Cyber attacks happen to even the most vigilant CPAs. Report it to the appropriate agency and law enforcement as quickly as possible. Speed is of the essence when it comes to minimizing the impact of a cybersecurity breach. If you act fast enough, the IRS will block fraudulent returns sent in your clients’ names and take additional steps to protect you and your clients, thus softening the blow and helping to ensure a bad situation doesn’t get even worse.
3. Only communicate with clients through a secure online portal.
   The fact is, email just isn’t safe anymore, especially when you’re talking about sensitive financial and personal data. Remove the threats posed by email by requiring all your clients to upload and share their data with you through a secure online portal for accounting firms instead of exposing yourself to what could be malicious email links.
    
   When you receive an email (or phone call) from a potential new client, you still must confirm their identity and ensure you have the correct contact information, as noted above. Once confirmed, you can start your onboarding process – something the client portal can help you manage and automate – and show your clients how to send you their information securely.
    
   Make sure you have a client portal that provides eSignatures with knowledge-based authentication; this is an additional layer of security used to verify the identity of the person signing the document.

Experts and leaders in the accounting profession use SmartVault’s document management system and client portal because it’s user-friendly, helps with compliance, has bank-grade security, and stores all documents in one centralized hub. To see how SmartVault can keep your data safe and elevate your workflows, schedule a demo with us today.