Beware Tax Season Scams

Beware Tax Season Scams

Tax season is upon us again and the hackers have been busy with a slew of old and new tricks to try to steal tax refunds. Here are some of the new and old tricks that hackers are employing this tax season and some tips on how you can avoid being taken advantage of by cyber-criminals.

A New Twist to an Old Game

Who wouldn’t be happy to get a bunch of money deposited in their bank account by surprise from the IRS?! Unfortunately for us, the IRS is not just giving us all money and it is a new elaborate scam by hackers to try to swindle you and the IRS out of money. Hackers are using your personal information to file a fraudulent tax return on your behalf but also having it deposited in your bank account. Then they fall back to their old scam of calling or emailing you, claiming to be the IRS and demanding that you send the money back.

Thanks, Equifax…

Due to the massive Equifax data breach, the IRS is expecting a huge uptick in the number of fraudulent filings. To try to help combat some of the fall-out, each employer has been assigned a special Employer Code that is found on the W-2 form to try to make sure that fake W-2s are not used to file claims.

The IRS also has encouraged everyone to try to file their claims as quickly as possible as to not allow hackers a chance to put in a fake claim before you do. If two (or more) claims are filed with your social security number, the IRS will notify you by snail mail (The IRS does not email or call).

If you try to eFile and a claim has already been filed, your claim may be rejected and you will need to contact the IRS (also because of the Equifax data breach, contact the FTC).

Even Children are Affected…

A worrisome discovery this tax season has been the sale of infant and child personal information on the Dark Web. Hackers even are eliciting sale of the information by advertising that it is tax season and buyers should get the information before it is used. The troublesome aspect of having children’s personal information for sale on the Dark Web is that very few parents actually monitor the credit of their youngsters and they may not discover a fake identity for years or even 16-17 years down the road when the child is grown and starts applying for college or credit.

The ol’ W-2 Phishing Scam

Despite IRS warnings and tons of news the past couple of years, hackers are still tricking businesses into sending their employee records. A few years ago, the IRS warned companies of falling for the W-2 scams but despite the continued warnings, businesses (and even government offices like the City of Keokuk,Iowa and Batavia, Illinois) are still falling for phishing scams posing as the company CEO or executives asking for employee summaries and W-2’s.

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor. Even though scammers state there is extreme urgency in receiving the response, getting a verbal confirmation from the sender is the best way to protect sensitive information (the same goes for urgent requests for wire transfers to the Finance Department!)

Lastly, sensitive employee data should never be transmitted unencrypted (even if it’s thought to be internal).

Tax Season is Also Phishing Season

Tax Season is Also Phishing Season

As tax season is upon us, it is important to remind ourselves of whaling campaigns, which essentially are phishing scams but on a much larger scale. Whaling scams typically target large amounts of sensitive employee data (tax season = W2’s) or wire transfers for fake invoices. During tax season in 2016, cyber criminals successfully targeted 41 organizations for employee W-2 information. One particularly bad W-2 whaling scam led to the University of Kansas employee paychecks being diverted from their accounts after they received fake emails asking them to update payroll information.

Whaling scams catch people by surprise because they believe that they are receiving a legitimate request from inside their own organization (CEO, CFO, HR). The emails play on emotions with orders for urgent actions to pay invoices, update payroll information, or the need to file tax statements.

Phishing for W-2’s

During tax season, whaling campaigns are particularly lucrative for cyber criminals because with the W-2 information, they can file false tax returns and divert refunds from the actual person. Prior to last year, the IRS would not alert a person if they detected fraudulent tax filings but with the recent spate of data breaches and the number of false filings, the IRS will now does analyse on the filings to check consistency against previous years and will alert the taxpayer if they notice inconsistencies.

Even with all the checks in place, there were still around 275,000 claims of taxpayer identify theft reported to the IRS in 2016 and Experian’s Data Breach group handled more than 70 cases each week tied to W-2 schemes.

Whaling for Big Paydays

In April 2015, Mattel fell to a massive whaling scheme that saw $3 million diverted to Chinese cyber criminals. Luckily for Mattel, the money was wired over a Chinese holiday and they were able to work wiht the Chinese authorities to recover most of the funds.

In May 2016, the CEO and CFO of an Austrian plane manufacturing company both lost their jobs after falling for a whaling scheme that cost the company nearly US$57 million. The company managed to recover some of the money but most of it disappeared into foreign bank accounts.

And in January 2016, a Belgium bank lost US$75 million dollars after an email was sent requesting a money transfer to finalize an urgent business transaction.

So That’s the Bad News, Now How Can Organizations Combat Phishing?

Empowerment, verification, and employee education are key in combating whaling schemes. Anti-virus and anti-malware solutions will not stop phishing emails from being delivered or the links being clicked on or sensitive data being sent to the wrong person. It’s only when an employee is empowered to ask for verification and taught to question unusual circumstances that organizations will be able to defeat phishing scams.

The news of failure is constant but there are success stories everyday due to vigilant and aware employees. One such success story happened with week to a company that Axiom works with in Southern California. The “CEO” emailed his executive assistant and told her to wire money to someone right away. She thought it was odd as he typically did not send those type of emails and asked for verbal confirmation. The answer was “what are you talking about?” and Axiom was called for advice.

Hackers are Stealing Your Tax Returns

Hackers are Stealing Your Tax Returns

It’s tax season and cyber criminals are out in full force to steal your tax returns. This time last year, hackers stole $50 million from the Internal Revenue Service (IRS) through fradulent tax refunds, affecting 330,000 people. It’s no surprise that this January, the IRS was targeted by an automated cyber attack. Cyber criminals used stolen personal data from data breaches to create fake logins through the IRS Electronic Filing PINs. The IRS stated that they found unauthorized attemps to obtain Electronic Filing PINs for 464,000 Social Security numbers. The attackers tried to use malware to generate these fake identification numbers. Thankfully, the IRS was able to stop this attack before it affected anyone, however, it’s likely this won’t be the last attack.

“No personal taxpayer data was compromised or disclosed by IRS systems,” the IRS said in a statement. “The IRS also is taking immediate steps to notify affected taxpayers by mail that their personal information was used in an attempt to access the IRS application. The IRS is also protecting their accounts by marking them to protect against tax-related identity theft.”

The numerous data breaches that have occurred in the past few years have given these cyber criminals plenty of data to use for identity theft. In 2015, health insurers like Excellus, Anthem, and CareFirst, were victims of huge data breaches. These data breaches affected tens of millions of people. Even the Office of Personnel Management was attacked, exposing 21.5 million U.S. government employees. From the sheer amount of data that is out there, it’s no surprise that hackers are using this data to file people’s taxes.

As reported in Forbes: “The trend is clear. Each year, the IRS publishes a list of its ‘Dirty Dozen’ tax scams. In 2011, just one involved some form of identity theft. This year no less than one-third were (identity theft-related) scams.”

For a cyber criminal, it takes very little work to secure a big payoff. All it takes is a name and Social Security number, stolen from one of the many data breaches that have occurred. These thieves file for taxes under the stolen identity and provide a fake address to send the refund to. By using their automated programs, they can scam easily and quickly.

How can you protect yourself? The best thing you can do is to file your taxes as early as possible! The more you delay, the more time you are allowing cyber criminals to steal your identity.

Consumers need to be alert to possible tax-related identity theft, especially if you’ve received a letter from the IRS stating you have been breached. The IRS has published 5 warning signs that everyone should be aware of.

1. More than one tax return was filed for you;
2. You owe additional tax, have a refund offset or have had collection actions taken against you for a year you did not file a tax return;
3. IRS records indicate you received more wages than you actually earned or
4. Your state or federal benefits were reduced or cancelled because the agency received information reporting an income change.