State: Malicious code lurks in official-looking tax software updates

The state is warning tax preparers of an email scam that steals customer data.

The scam pretends to be a notice for an important update for tax preparation software. The link and software download seems legit — but once the employee runs the “update,” the software records keystrokes instead.

This type of attack, where an email pretends to be from a trusted source but is actually malicious, is called “phishing.”

The state Department of Revenue issued the warning last week. Once the malicious software is downloaded into the tax preparer’s computer, the logged keystrokes are sent to cyber criminals who can search the information for login information, passwords and other sensitive information.

Last month the Internal Revenue Service issued warnings for tax preparers to guard against identity theft:

▪ Teach employees to be wary of phishing scams. Do not click on links or open attachments in emails, and always use a software provider’s main web page for connecting to them.

▪ Use strong passwords for both computer access and software access. Such passwords are at least 12 digits long and contain a mix of numbers, letters and special characters. (No, “password” is not a clever password. It’s among the most common passwords.)

▪ Use reliable software to run a deep scan for viruses and malware. Run the software regularly.

▪ Phishing attacks can also arrive via text or phone calls.

▪ Remote computer access software can be a way for criminals to access your system. Review software that employees use to remotely access your company’s network.

Tax professionals should read IRS publication 4557, “Safeguarding Taxpayer Data, A Guide for Your Business,” which includes a checklist to help protect customer data and enhance office security.

This story was originally published August 22, 2016 at 1:20 PM with the headline "State: Malicious code lurks in official-looking tax software updates."