Even a decade ago, accounting and tax scams used to be a largely analog affair. Clients would be taken in by a confidence trickster, or perhaps by an appeal to their better nature.
Today, the vast majority of accounting scams operate online. And while most people have a pretty good idea of what a con man looks like in person, it can be difficult to spot a sophisticated online scam. For accountancy firms, that’s why shoring up network security is critical, and why it is important to invest in cybersecurity.
We shouldn’t stop there, however. Protecting the data we hold on our clients is only one part of our responsibility to them. We should also take the opportunity to alert them to the accountancy scams they are likely to face, and how to avoid them.
As an accountancy firm, this not only protects your customers from crime. It can also win you applause, as seen in the coverage of HMRC’s recent response to a scam surge in the UK.
Customers are increasingly looking for companies that take security seriously, and helping to protect them is a good way to improve your brand image. You should understand how important this is when you consider that we live in an era with over 4,000 types of ransomware and 230,000 malware samples created every day.
In this article, we’ll take a look at some of the most common accountancy scams, so you can warn your clients about them. Some will be familiar, others are quite new. All are dangerous.
1] Social Security Numbers
It will come as no surprise to most accountants that still the most common form of financial fraud is for hackers to try and steal customers’ social security numbers.
In a variation on the “traditional” impersonation scams, though, some people are now receiving letters which claim that their SSN has been suspended or canceled.
Needless to say, if one of your clients receives a letter like this, they should be able to recognize it as a scam.
2] Natural Disasters
The IRS has recently issued a warning that scammers are using a variety of new techniques: one of these is online auctions, while another is to take advantage of the generosity of clients who would like to contribute to natural disaster relief.
Of course, plenty of legitimate charities will cold-call people and ask them to make a donation. The advice to clients should therefore be to check the credentials of any charity they want to contribute to before they part with any money.
“Phishing” sounds quite retro in 2020, but the danger of malicious email attachments is as real as ever. As hackers get more sophisticated, they are increasingly able to impersonate governmental websites.
A recent scam involved an email that asked people to enter a “temporary password” in order to access an IRS.gov website, but which actually re-directed victims to a malicious file. Statistics show that during last year more than 70% of businesses reported being a victim of a phishing attack.
4] Taxpayer Advocate Service
The Taxpayer Advocate Service (TAS) has also been a target for hackers recently. Because taxpayers are less familiar with this service than the IRS, they are less likely to spot scam versions of the TAS website. These fake websites can then perform data acquisition on site visitors, in some cases stealing highly sensitive information.
Accountancy firms should warn their clients that they should never enter any personal information into sites like these without consulting their accountant.
5] Loan Fraud
Another novel approach being used by criminals is to impersonate companies with whom clients have taken out a business loan. Information about loans can be stolen from businesses via phishing emails, simple impersonation, or creating “clones” of legitimate loan calculators and tools. Scammers can then use this information to launch a larger attack.
Loan fraud is particularly dangerous for businesses because loan providers are not companies with whom they have frequent contact. Whilst most people get used to recognising the website and corporate style of their bank, for instance, spotting a fake loan provider can be more difficult.
6] Data Leaks
Stealing data from website users is not technically a “scam”, but it works in much the same way. Malicious email attachments (mentioned above) can be used to implement a “man in the middle” attack, where a hacker is able to intercept all of the data passing between a legitimate financial institution and a client.
Protecting clients against this kind of scam is difficult, because often there is no apparent attempt to con information from them. The best advice to give clients is to use cyber security protections, particularly firewalls and reputable VPN services, which encrypt all of the information they exchange online and allows them to surf anonymously.
They also provide hundreds of global servers to provide remote access to users all over the world. This advice goes double for accountancy firms, who should also ensure that they are working with client data in a secure manner.
7] Tax Transcript Fraud
Finally, the IRS has recently pointed to a rise in the number of instances of tax transcript fraud. In this kind of scam, a hacker will impersonate the IRS, and tempt users to open a file by claiming that it contains a sensitive tax transcript.
This type of scam is particularly dangerous for clients who own or run businesses, because fake emails of this kind can be sent to every member of staff. Some staff members are likely to open the attachment – from curiosity if nothing else – and then malware can spread across a business’ systems.
A Final Word
Ultimately, you can provide your clients with the best service if you take the time to understand accounting scams, so you know what they are likely to encounter.
Although every scam is different, and being able to spot each type is important, the general advice to clients is always the same. The IRS, or any legitimate firm, will never initiate contact with people by phone, email, text messages or social media channels to request personal or financial information.
The best advice to give your clients, therefore, is this: if an email, website, or phone call seems suspicious, don’t engage with it.