IRS warns of EFIN Scam

The Internal Revenue Service has issued an urgent warning to tax professionals over a new scam in which cyber-criminals impersonate the IRS over email in an attempt to steal Electronic Filing Identification Numbers (EFINs).

Carrying the subject line “Verifying your EFIN before e-filing,” the scam email purports to be from “IRS Tax E-Filing.”

In the body of the bogus email, targets are asked to send an EFIN acceptance letter dated within the last 12 months and scans of the front and reverse of their driver’s license to a fake email address in order for their EFIN to be verified. 

Thieves who obtained the EFIN and driving license data of a tax professional could use it to impersonate that professional and file fraudulent returns.

“Phishing scams are the most common tool used by identity thieves to trick tax professionals into disclosing sensitive information, and we often see increased activity during filing season,” said IRS commissioner Chuck Rettig. 

“Tax professionals must remain vigilant. The scammers are very active and very creative.”

In an alert jointly issued February 10 by the IRS, state tax agencies, and the tax industry, tax professionals who receive this particular scam email are asked to save it as a file and send it as an attachment to phishing@irs.gov.

Tax professionals were also warned to be on the lookout for other common phishing scams that seek their EFINs, Preparer Tax Identification Numbers (PTINs), or e-Services usernames and passwords.

To Erich Kron, security awareness advocate at KnowBe4, the appearance of tax scams in the first quarter of the year is “as inevitable as paying taxes.”

“These tax-themed email phishing attacks are a powerful tool for cybercriminals to steal sensitive information such as social security numbers or bank account information, redirect payments or steal credentials that will allow them to file fake tax returns,” Kron told Infosecurity Magazine. 

“To defend against these scams, educating people about the types of scams occurring and the red flags, such as links that go to different websites when you hover over them, unexpected requests for sensitive information such as login information or social security numbers, is critical.”