Cyber Threats

Latest spearphishing scams target tax professionals

February 16, 2022 4:21 pm

Below is an IRS Press release regarding recent scams targeting Tax Professionals.

With tax season in full swing, the Internal Revenue Service, state tax agencies and tax industry today warned tax professionals of new email scams that attempt to steal their tax software preparation credentials.

The Security Summit partners warned these  scams serve as a reminder that tax professionals remain prime targets for thieves. These thieves try to steal client data and tax preparers’ identities in an attempt to file fraudulent tax returns for refunds.

The latest phishing email uses the IRS logo and a variety of subject lines such as “Action Required: Your account has now been put on hold.” The IRS has observed similar bogus emails that claim to be from a “tax preparation application provider.” One such variation offers an “unusual activity report” and a solution link for the recipient to restore their account.

“Scams continue to evolve, and this one is especially sinister since it threatens tax professional’s accounts,” said IRS Commissioner Chuck Rettig. “Tax professionals must remain vigilant in identifying and staying clear of these IRS impersonation emails. A little extra care can protect the tax professionals and their clients.”

Emails claiming “Your account has been put on hold” are scams

The IRS has observed similar bogus emails that claim to be from tax software providers. The scam email will send users to a website that shows the logos of several popular tax software preparation providers. Clicking on one of these logos requests tax preparer account credentials.

The IRS warns tax pros not to respond or take any of the steps outlined in the email. Similar emails include malicious links or attachments that are set up to steal information or to download malware onto the tax professional’s computer.

In this case, if recipients enter their credentials into the pop up window, thieves can use this information to file fraudulent returns by using credentials that were provided by the tax professional.

An example of this type of bogus email states:

———————————————————————————————————————Your account has now been put on hold

ALL preparers are required to apply security feature to their Tax Pro account towards 2021 Tax Returns processing.

You have failed to apply new update before expiry date

You are restore and update your acc|ount immediately.

Please Click Here to update your acc|ount now.

Important

Failure to update your account within the next 24hours will lead to you account being terminated and be barred from filing tax returns  claims for 2021 tax season Your access will be restored once you have updated your details

Sincerely,

IRS.gov eServices

———————————————————————————————————————

Tax professionals who clicked on one of the URLs and then entered in their account information should contact their tax software preparation provider’s support hotline.

Tax professionals who get a scam email should save the email as a file and then send it as an attachment to phishing@irs.gov. They should also notify the Treasury Inspector General for Tax Administration at www.tigta.gov to report the IRS impersonation scam. Both TIGTA and the IRS Criminal Investigation division are aware of this scam.

The IRS, state tax agencies and the nation’s tax industry – working together in the Security Summit initiative – have taken numerous steps since 2015 to protect taxpayers, businesses and the tax system from identity thieves. Summit partners continue to warn people to watch out for common scams and schemes this tax season.

For additional information and help, tax professionals should review Publication 4557, Safeguarding Taxpayer Data and Identity Theft Information for Tax Professionals.

Federal Jury Duty Phishing E-mail

November 30, 2021 3:00 pm

Below is a screen-shot of what appears to be a phishing e-mail purporting to be for jury duty in a “federal class action” in Washington DC. The links are fraudulent and attempt to capture your personal information.

Citrix Attachments

October 28, 2021 4:18 pm

On October 28, 2021 a firm reported their email had been compromised and that phishing emails were being sent out with fraudulent links. Below is an image showing what the email looked like. Please use caution opening any emails like this that lead you to somewhere that asks for your username and password. These types of scams will collect your email address and password and then use your email account to send more phishing emails. 

Recent Phishing Email Scams

October 1, 2021 2:10 pm

The WV State Bar has been contacted regarding an email that contains a blue box with a yellow link that says “Review Document”.  When you click on the link it then takes you to a fake “google sites” website and asks for you to login. It then collects your email and password and takes you to a blank page. 

If you received and email that looks similar to the one below and did entered your email and password once at the link please change your password immediately. 

Three important factors that you and your staff should pay attention to when opening an email:

1. If you are not expecting a document from someone and receive one, contact that person directly to see id they are trying to send you something BEFORE YOU CLICK ON THE LINK IN THE EMAIL. 
   
2. Do not ever provide login credentials (username and password) on a website that has a different address other than google.com, microsoft.com, yahoo.com, etc. service that you are trying to login to.
   
   – There are many websites that allow your to link your email account to their service but they will first provide you with a popup window or take you to a google or Microsoft addressed website when providing those credentials.
   
3. If you hover your mouse over the link it will show you the address in which it is trying to take you to. If it is suspicious do not click the link.

Suggested Mitigation/Prevention Strategy

Use Multi-Factor Authentication on all important logins. Below is a document with more information on what Multi-Factor Authentication is.

Fraudulent Emails Regarding Lawyer Referral Service

October 5, 2020 12:02 pm

Some WV State Bar Members who are not a part of the WV Lawyer Referral Service have received fraudulent emails asking if their firm handles “Litigation Cases”. The email comes from an out of country email address. If you have received emails like this please do not respond to them. If you are a part of the Lawyer Referral Service all correspondences will come from the email address “no-reply@send.community.lawyer”

HOW TO SPOT A PHISHING EMAIL

December 3, 2019 10:58 am

Attorneys continue to be an attractive target for hackers due to the large amount of personal information they retain related to their clients. Increasingly more sophisticated phishing emails are one of the most common techniques hackers will use to access this information.  30% of phishing emails are opened, and 91% of hacking attacks begin with a phishing email. Lawyers and law firms are often regarded by hackers as targets who might provide convenient back-door access to sensitive client data (and money).

Anne Haag is a Practice Management Advisor at the Chicago Bar Association and prepared the below video on “How to Spot a Phishing Email” 

Phishing Emails Impersonating State Bar Staff

February 14, 2019 9:16 am

Throughout January 2019 there have been reports from members receiving emails from fraudulent email accounts attempting to impersonate a State Bar staff member. If you receive one of these emails please mark it as spam and delete the message.

The State Bar does not email invoices to members unless the member completes a form requesting to pay via check on our membership website www.mywvbar.org.

Below is an example of one of the emails received by a State Bar member.

___________________________________________________________________

From: The West Virginia State Bar <c.castro@corporacionurimar.com>
Sent: Friday, January 18, 2019 8:29 AM
To: ———————
Subject: Re: Invoice #18204 Message

Please see attached and thanks!

I have enclosed a copy of the invoice for your reference, you can download view using this link

The West Virginia State Bar
mellacem@wvbar.org

NEW EMAIL SCAM REPORTED:

February 7, 2019 4:26 pm

Multiple West Virginia Law Firms have reported scams involving “prospective clients” that use doctored information related to sexual harassment settlements. The prospective client provides very convincing evidence and a fake cahiers check to the attorney that is then rejected by your bank after processing.

The basic premise is that the individual was an employee of Sunbelt Rentals in Charleston, WV.  A new female manager (who was related to the CEO) transferred into the location. The female manager then began making sexual advances toward the prospective client. Refusing the advances, the prospective client made a complaint. He was allegedly terminated shortly thereafter.  The URL for the corporate email address is not a valid URL (although it looks very close to Sunbelt’s actual website).   

Fastcase – Email Phishing Scam via Phil Rosenthal’s Account

February 1, 2019 9:29 am

If you received a phishing email on 2/1/2019 from Phil Rosenthal due to his Fastcase email account being compromised.  The subject line is “RIVIEW DOCUMENT.”  For your own security, please do not open nor click the attachment.  Please delete the email immediately, if you haven’t already.

The Fastcase team has taken immediate steps to further secure our email accounts in an attempt to prevent this from happening again.  We’re sorry for any confusion this has caused.

MARRIOTT DATA BREACH: Basic Consumer Information

November 30, 2018 9:53 am

THE FOLLOWING IS INFORMATION RELATED TO A LARGE DATA BREACH THAT MARRIOTT DISCOVERED. WE ARE PROVIDING THIS INFORMATION TO OUR MEMBERS BECAUSE WE BELIEVE IT MAY BE HELPFUL.

__________________________________________________________________

MARRIOTT DATA BREACH: Basic Consumer Information

WE ARE AWARE AND ACTIVELY MONITORING THE BREACH

Marriott’s reservation database (Starwood Reservation Database) was hacked.

Hackers mined/collected data for 4 YEARS before discovery of the breach.

Hackers accessed: names; birthdays; passport numbers; email addresses; mailing addresses; and phone numbers

HACKERS MAY HAVE ACCESSED FINANCIAL INFORMATION, including credit card numbers, PIN numbers, and/or expiration dates

500 million consumers (worldwide) affected by the breach (# of WV consumers unknown at this time).

Breach includes SHERATON, WESTIN, and ST. REGIS hotel chains.

Marriott has created a website and call center for consumer inquires.

Consumer Website:                        info.starwood.com

Dedicated Call Center:                   1-877-273-9481

Marriott is also offering free enrollment in Webwatcher (which is a monitoring service). We’re reviewing the webwatcher program and cannot advise consumers on the pros and cons of the service at this time.

Free Webwatcher Enrollment:   info.starwood.com

Phishing Email – December 7, 2017

December 7, 2017 4:45 pm

On December 7, 2017 a few members of the State Bar received phishing emails with the subject “FYI” If you received this email please delete it and do not open the attachment. Below is a screenshot of the details.

FYI – Amazon Gift Cards

November 7, 2017 3:25 pm

The following message was reported as fraudulent. Steptoe & Johnson PLLC reported the activity.

Sent: Tuesday, November 07, 2017 1:17 PM
Subject: FYI – Amazon Gift Cards (Do Not Click!)

The Following E-mail is making the rounds and, as much as I wish to say we are giving away Gift Cards, the sad fact is that we are not.  Please do NOT click on the link or fill out any information to claim your gift card – you will only receive heartache and not $20.

—————————————-

From: Daved Gormon [mailto:Daved.Gormon@work-rewards.com]
Sent: Tuesday, November 07, 2017 12:28 PM
To: Angela Fazzini
Subject: Good job. Here is a token of our appreciation.

Google E-Sign & Google Drive

May 11, 2017 2:51 pm

Suspicious emails have been going out to the general public saying you need to click on a link to “e-sign” a document through google or access a shared document. These emails claim to be relating to a document saved within Google Drive or E-Sign but are actually fraudulent phishing email links.

Below is an example of the fraudulent email.

Email Spoofing

March 22, 2017 10:38 am

On Tuesday March 21st, State Bar President McGhee reported that fraudulent emails are being sent out to bar members using his email address. The individual that is sending these emails is requesting payment information via email. These emails are being “spoofed” the individual is using an unauthenticated email server. These emails should be deleted as soon as possible if you receive one. No phishing links were included in the email. The State Bar and its Board of Governors do not request payment information via email in any circumstance.

If you receive any emails similar to the event described above please contact Mike Mellace at mellacem@wvbar.org .

WVSAO Phishing Email

March 14, 2017 10:50 am

Notice of Potential Scam Involving Correspondence from Office of Disciplinary Council

December 1, 2016 3:41 pm

The WV Office of Disciplinary Council has advised that bar members in Pennsylvania, Texas and Maryland have reported receiving an email claiming a grievance has been filed against them and giving them 10 days to respond. The email invites them to “click here” for more information.

None of the disciplinary agencies are responsible for these emails. The link loads a malicious software called ransomware on your computer that blocks computer access until a sum of money is paid.

We are no aware of any similar scams in WV, however, be alert. If you receive this type of email, delete it immediately. If you have any questions about any emails received from the Office of disciplinary council, contact that office at www.wvodc.org or 304-558-7999. Do not click on any links.

Wire Fraud Issues

November 28, 2016 8:35 am

Charleston, WV – A WV State Bar member recently reported being hit with a wire fraud issue twice in the last year, and another law firm recently wired fund to the wrong account based on a fraudulent e-mail.  In both cases a realtor’s e-mail account was hacked.  In the first case, the buyer received alleged wire instructions from our office to send the funds for closing.  Fortunately, we had asked for a cashier’s check and buyer brought to our attention.  In the second case, our seller allegedly sent wire instructions for their proceeds, to which it was sent, but immediately recovered by the bank.  Lawyers need to verbally call the recipient of the wire and verify the instructions, as well as obtaining copies of driver’s licenses.  Also, lawyers should be sending wire instructions via secure e-mail.  Generally, the hacker will get into a Yahoo account (either realtor or lawyer) and then spoof the party who is sending the wire instructions.  Here is is a link to a recent Florida Bar New article.

Good Day Attorney

November 18, 2016 3:58 pm

The following email has been reported by multiple attorneys as being a fraudulent email.

ATTORNEYS BEWARE OF CLIENT TRUST ACCOUNT SCAMS

November 18, 2016 3:40 pm

The State Bar has become aware of fraudulent schemes that have targeted lawyers’ client trust accounts throughout the country. From email that the ADO has received from its counterparts in other states, there appear to be two variations that have been used during the last few months. The first scheme is an advance fee “confidence scam” which involves what purports to be a business proposal from officials of a foreign government or foreign business. Typically the lawyer receives an unsolicited email from a company in China (or other location in Asia). The email states that the sender has found the lawyer’s name in an online legal directory The sender then advises the lawyer that he (or she) would like to retain the services of the lawyer to collect a judgment from a local business. The lawyer then performs some preliminary research and determines that the local business is a legitimate business. A contingency agreement is entered into. Within days, and prior to a demand letter being sent, the lawyer receives a cashier’s check from the local business for a large sum of money (normally several hundred thousand dollars) towards the judgment, with a note explaining the purpose of the check. The check appears to be from a local bank The lawyer then deposits the check into his/her client trust account. The Chinese business then contacts the lawyer and advises that the business needs all (or a portion) of the settlement proceeds immediately to cover on-going business expenses. The lawyer is advised that he/she can retain his/her contingency fees from the amount that is requested to be transmitted to the Chinese business. The lawyer then calls the bank in which he/she is holding client trust funds to inquire if funds are available, and is advised that they are. The funds (less the lawyer’s fees) are then wired to the scammer’s account in China (or elsewhere in the Far East). Within days, the lawyer is informed by the bank holding his/her client trust account that the local check was a forgery, and the lawyer is then out of trust by several hundred thousand dollars. The scams normally work because the victim lawyers do not appreciate the difference between funds that have “cleared” (or are collected), and funds that are available for use. Banks are required to make funds available for use within a few days of the deposit of checks, even though the funds often are not actually collected until nearly two weeks after the checks are deposited. The second type of scam that has been reported by other states involves the collection of a divorce settlement that has been allegedly reached with the scammer’s ex-husband. The scammer informs the lawyer that she is currently on assignment in a far eastern country and has an agreement for the husband to pay her several hundred thousand dollars, plus legal fees. The rest of the scam proceeds in a manner essentially similar to the judgment collection scam outlined above, and involves the deposit of a forged cashier’s check into the lawyer’s client trust account and the wiring of the client’s share to a foreign bank. Attorneys are warned that if the proposition appears too good to be true, it probably is. One should always be extremely wary of email communications from anyone you don’t know. Finally, it is extremely important that lawyers know the difference between available funds and collected funds