Voice Phishing (Vishing): How Criminals Use Phone Calls to Target Tax Professionals
Phone-based scams targeting tax professionals are on the rise. Learn to recognize and defend against voice phishing attacks.
While email phishing gets most of the attention, voice phishing—or vishing—represents a growing threat to tax professionals. Criminals use phone calls to impersonate clients, the IRS, software vendors, or other trusted parties, attempting to extract sensitive information or manipulate you into taking harmful actions.
How Vishing Works
Vishing attacks exploit the immediacy and personal nature of phone calls. Unlike email, where you have time to analyze and verify, a phone call creates pressure to respond in the moment. Criminals use this urgency to their advantage, often claiming situations that demand immediate action.
Attackers may research you beforehand, learning enough about your practice, clients, or business relationships to sound legitimate. Caller ID can be spoofed to show familiar numbers. Combined with confident delivery, these tactics can be surprisingly convincing.
Common Vishing Scenarios
IRS impersonation calls are among the most common. Scammers claim to be from the IRS, often threatening arrest, license revocation, or lawsuits unless immediate payment is made. The real IRS typically initiates contact by mail and never demands immediate payment or threatens arrest.
Client impersonation is particularly dangerous for tax professionals. A caller claims to be a client, says they need to update their bank account information for their refund deposit, or requests copies of their prior returns. Without verification, you might send sensitive information to a criminal.
Technical support scams target your technology. A caller claims your tax software has a security issue, your computer has been compromised, or they need to update your account. They may ask for login credentials or remote access to your computer.
Red Flags to Watch For
Urgency is the biggest warning sign. Legitimate callers understand that you need to verify their identity and will give you time to do so. Anyone who insists you must act immediately, without verification, is likely not who they claim.
Requests for information you shouldn't provide over the phone—passwords, account credentials, Social Security numbers—are suspicious regardless of who the caller claims to be. Legitimate entities have secure processes for handling such information.
Threats and intimidation tactics indicate scams. Real government agencies, clients, and vendors don't threaten you to force immediate action.
Verification Protocols
Establish procedures for verifying callers before providing any sensitive information or taking significant actions. If someone claims to be a client, call them back at the number you have on file, not the number they just called from.
For calls claiming to be from software vendors, the IRS, or other organizations, end the call and contact the organization through known, verified channels. Look up their number independently rather than using any number provided by the caller.
Staff Training
Everyone in your office who answers phones needs to understand vishing threats. Train staff on verification procedures and empower them to politely decline requests that don't follow proper protocols. A criminal may try to intimidate staff by claiming urgency or authority.
Create a culture where it's okay to pause, verify, and even hang up on suspicious calls. Better to momentarily inconvenience a legitimate caller than to fall victim to fraud.
Reporting Vishing Attempts
Report suspected vishing attempts to the appropriate authorities. IRS impersonation scams can be reported to TIGTA. Other fraud can be reported to the FTC. Documenting and reporting attempts helps authorities track criminal activity and warn others.
Share information about current vishing tactics with colleagues. Awareness of what's circulating helps everyone recognize attacks when they encounter them.