It is important to stay up on cybersecurity issues. Have you heard about “spear phishing?”
Generally, Spear phishing involves a malicious email “spoof” attack that targets a specific organization or
individual, seeking unauthorized access to sensitive information. Spear phishing attempts are not typically
initiated by random hackers, but are more likely to be conducted by perpetrators out for financial gain.
One possible scenario might involve an email sent to you (CFO, Controller) or your institution’s
President that looks very official, has the IRS logo and a valid U.S. Treasury mailing address, and states
something like:

“IMMEDIATE ATTENTION – Action Required: Your account has now been put on hold.”
“Your organization recently received a Paycheck Protection Program Loan through the SBA in
the amount of $110,650. Recently released regulations have deemed a portion of these forgiven
loans to be subject to federal taxes. You owe past due taxes in the amount of $11,065. In order
to avoid penalties, interest, and/or a lien on your accounts, you must remit this tax amount in the
next 10 days. You may pay by credit card or ACH (please send us the account number and
routing number for the account to be charged).”

The IRS discusses this in News Release IR-2022-36 and says, “The latest phishing email uses the IRS
logo and a variety of subject lines such as “Action Required: Your account has now been put on hold.”
The IRS has observed similar bogus emails that claim to be from a “tax preparation application provider.”
One such variation offers an “unusual activity report” and a solution link for the recipient to restore their
account. The IRS has observed similar bogus emails that claim to be from tax software providers. The
scam email will send users to a website that shows the logos of several popular tax software preparation
providers. The IRS warns tax professionals not to respond or take any of the steps outlined in the email
which also may include malicious links or attachments.”
Are your cybersecurity policies, procedures, and risk mitigation systems positioned to protect your
institution from “spear phishing” attacks such as this? It is certainly something to talk about!

Written by

David C. Moja, CPA

The information provided herein presents general information and should not be relied on as accounting, tax, or legal advice when analyzing and resolving a specific tax issue. If you have specific questions regarding a particular fact situation, please consult with competent accounting, tax, and/or legal counsel about the facts and laws that apply.