They say nothing is certain except for death and taxes. In 2019, it’s time to add cyber tax scams to the list. The Internal Revenue Service (IRS) has released its annual “Dirty Dozen” list of tax scams – and it’s no surprise that nefarious online schemes top the list. Here are some of the most common (and clever) techniques that hackers are using to defraud Americans of their personal information and hard-earned income.
Phishing: new variations of an old scheme
The IRS has long been impersonated by criminals in order to trick tax-payers into divulging personal information, whether by phone, text or e-mail. This trend continues as impostors target online users with legitimate-looking e-mails and convincing website landing pages, directing users to enter personally identifying information such as Social Security Numbers, bank account information, date of birth and other data valuable to hackers.
In one variation of a phishing scheme, cyber criminals had collected enough personal information to file fraudulent tax returns in others’ names, using people’s real bank accounts for the deposit of tax refunds. Following this, they posed as a debt collection agency acting on behalf of the IRS to inform these tax-payers that a refund was deposited in error and that they must transfer this sum to their collection agency immediately. In another version, tax-payers would receive automated robo-calls from an IRS impostor threatening them with criminal fraud charges, an arrest warrant or a “blacklisting” of their Social Security Number.
Online Tax Software: a Spoofer’s paradise
Impersonating the IRS isn’t the only way to defraud honest tax-payers. According to the IRS, 135 million Americans filed their taxes electronically through an online service such as Quickbooks or TurboTax. This widespread use of online filing opens a plethora of opportunities for hackers. They have even gone so far as to spoof these services, generating hundreds of legitimate-looking but fake sites like “quickbooksltd.com” or “accounts-quickbooks.com”. These domains are often engineered to steal users’ login credentials for the intended legitimate site.
But these spoof sites don’t stop there. They also leverage the fact that many users are confused by tax software, given that they typically use it only once per year. That’s why hackers even create fake websites posing as tech support for these services. The attack vector in this scenario is through SEO and paid search ads, targeting victims who are searching for assistance online. At the 1-800 numbers listed on these sites, people posing as “support” technicians often ask for remote access to victims’ computers in order to steal sensitive personal and commercial information.
Tax Professionals and Human Resources beware
People who handle personal information on a daily basis, like tax professionals and human resources employees, are particularly at risk to be targeted by hackers – especially during tax season. Depending on the variation of the scam, criminals might pose as an employee who wants to update the bank account to which their direct-deposit is made, replacing it with their own account. This scam is usually discovered relatively quickly, but not before the victim has lost one or two payroll deposits.
A new variation of this phishing scheme is targeting accounting and tax preparation firms nationwide. The scheme’s objective is to collect sensitive information that will allow fraudsters to prepare fraudulent tax returns, as mentioned earlier in this post.
These latest phishing emails come in typically two stages. The first email is the solicitation, which asks tax professionals questions such as “Can you help me prepare my taxes?” If the tax professional responds, the cybercriminal sends a second email. This second email typically has either an embedded web address or contains a PDF attachment that has an embedded web address.
Malicious emails and websites can then infect the tax professional’s computer with malware without the user knowing it. The malware downloads in the background, giving the criminal access to the device, enabling them to access any sensitive files or even track keyboard strokes, exposing the victim’s login information.
What can you do to protect you and your business?
The first thing you need to equip yourself with to avoid falling victim to criminals this tax season is knowledge. Be aware that the IRS never contacts tax-payers through e-mail first. It typically contacts citizens first by mail, not via email. If you haven’t received a paper letter, it’s unlikely that any electronic communication claiming to be from the agency is real. If you receive an unsolicited email or social engineering attempt that appears to be from either the IRS or an organization closely linked to the IRS, you should report it by sending it to [email protected]. Learn more by going to the Report Phishing and Online Scams page on IRS.gov.
In addition, legitimate tech support agents don’t need to see your screen or obtain your login information in order to help you. And it’s always a good idea to use a unique, complex password instead of reusing the same one across multiple accounts.
Your business should also be aware anytime an employee credential has been compromised. Once a hacker is inside of your organization, it becomes exponentially easier for them to move laterally and vertically through your information systems. Consider a Dark Web monitoring solution like Dark Web ID to detect when your business credentials have been compromised.
Most importantly, you need to make sure your employees are your strongest defense against the onslaught of human-focused attacks like phishing and spoofing. Human error can be drastically reduced by implementing a Security Awareness Training platform to educate vulnerable users on how to recognize and avoid malicious e-mails and websites. ID Agent currently offers its training solution BullPhish ID to its Partners at no additional cost, allowing them to execute simulated and staggered phishing campaigns aimed at their customers and automatically follow up with video-based training resources.