Your source for accounting information in West Virginia

Log in to access your benefits

Not registered? Get a free login
Not a member? Join for great discounts

Small Firms Hacked for Tax Returns

Smaller Accounting Firms beware, as hackers are being found stealing tax return records.

Trevin Mowery, a former Dixon Hughes Goodman Digital Forensics Associate expands, "I do expect that this is a serious threat to smaller firms. If any of you have contacts with smaller CPA firms (typically less than 10 employees) please reach out and help them secure their network if possible." 

Trevin, who now works for Cylance, has responded to 15 of these attacks just this year. Here are the attack details we know:


• Attack Vector: Open *RDP to External IP Addresses
o Attackers scan internet for open RDP

• Targeting small CPA firms with little or no IT staff

• Brute force attacks lead to successful attacker login
o Several hundred thousand failed logins before success

• Once access is gained, starts searching for tax docs
o “irs” “return” “1098” etc. etc.
o Pivot to other machines in environment, usually less than 15 computers

• Open tax software
o Lacerte, Quickbooks, UltraTax, etc.
They know the programs to target

• Exfiltrate data

• File fraudulent tax returns
o Send returns to reloadable VISA gift cards

• Very hard to trace
o Source IP’s from eastern Europe, Africa, etc.

• Firms find out because IRS says client’s returns have already been filed

*Remote Desktop Protocol (RDP) is a Microsoft protocol designed to facilitate application data transfer security and encryption between client users, devices and a virtual network server. It enables a remote user to add a graphical interface to the desktop of another computer.

Thank you to Dixon Hughes Goodman, LLP, for sharing this information to protect our smallers firms!

On a related note, click here to learn how to protect yourself against the "No-Talk Phone Scam."