Bonds

Issuers and borrowers should watch out for phishing scams in their communications with the IRS’ Tax Exempt and Government Entities Division, as there have been instances in recent months of scammers posing as IRS representatives.

John Stanley, a tax and public finance partner at Orrick and Joseph Santiesteban, private and data innovation partner at Orrick, coauthored a recent warning on the subject. While issuers have become increasingly wary of a variety of cybercrimes targeting them, this particular approach targets debt management directly.

The IRS tries to conduct its audits of tax-exempt bonds in a secure manner, ensuring that no confidential information is improperly disclosed and has established its own electronic messaging service, TEBConnect, to ensure data is securely transmitted and received.

“However, we’ve recently seen emails purporting to be from the IRS regarding the use of its TEGE secure messaging service to respond to an audit of tax-exempt bonds, but that are actually phishing scams intended to steal data from the recipients,” the client alert by Stanley and Santiesteban said.

“Issuers and borrowers should always be on the lookout for phishing and other suspicious emails, whether those appear to be from the IRS or other entities.”

TEBConnect was introduced as a pilot program in 2018 to help issuers communicate with the IRS about bond examinations and had the function to communicate through a web browser in order to electronically submit requested documents securely, eliminate paper and postage and reduce the need for calling or mail delivery.

But the service wasn’t fully available until August 2021 and hasn’t yet caught on widely. Stanley said he has yet to use it in responding to an audit, but recognizes it as a possibility.

Phishing and other scams have long been threats to municipal issuers, but until recently have largely dealt with them internally without the help of tax professionals or regulators.

“We’ve seen a couple instances of spoof phishing emails, it probably happens more often and our clients just don’t reach out to us because they identify on their own that it’s spam email,” Stanley said.

“On the flip side, I have had clients receive actual IRS audits, where they assumed that it was some sort of scam.”

Many municipal issuers haven’t been very forthright about what they’re doing to mitigate cyber threats, which eventually could be material to investors.

“Municipal issuers seem reluctant to fully disclose their cybersecurity risks and mitigation efforts in their offering documents. A typical excuse is that an issuer may not want to reveal its cyber threat mitigation strategy, leaving investors to wonder if there is any mitigation strategy at all,” a 2019 briefing from law firm Ballard Spahr said. 

“Disclosure of the recognized potential risks from such threats and general approaches by an obligated party to address such risks may be material to prospective investors,” Ballard noted at that time.

Stanley felt compelled to issue the warning because of his firsthand experience with a client, and doesn’t think the IRS’ TEGE will be putting any extra effort in on this front.

But the IRS has issued a number of warnings to tax professionals in recent months, one on avoiding spear phishing, an email identity theft scheme. Just last week, the IRS launched its seventh consecutive summer campaign warning tax professionals against data theft.