Tax season is a boom time for hackers. Millions of Americans are collecting the details of their financial lives and preparing to send them across physical and digital channels — creating ample opportunity for hackers to rob, deceive, or manipulate taxpayers.
Between 2013 and 2016, more than $36 million was stolen from taxpayers just in refund-related tax schemes. Billions more have been stolen because of identity theft-related schemes that were made possible only by stolen tax information. The 400 percent rise in phishing and malware observed by the IRS between 2016 and 2017 doesn’t help, either.
The vast majority of these scams follow a similar pattern: Thieves pose as IRS officials in emails, phone calls, text messages, and even in person, and then demand payment or sensitive information. Given the natural anxiety that Americans experience around tax season, angry demands from an all-powerful agency are especially resonant.
In this case knowledge is the best protection. The IRS almost exclusively contacts taxpayers through paper mail and not via email, phone calls, or text messages. And when they do send representatives to a physical location, they must provide extensive credentials.
All other communication from the IRS, especially emails, should be disregarded entirely because it’s likely fake. Even so, phony emails can still look official and convincing. Watch out for these red flags to protect yourself and your business during tax season:
Hackers will often pose as the IRS, or another official organization, and demand that an email recipient make a wire transfer or even transfer gift card information. These messages rely on harsh language and promise punitive consequences, and they might even seek information rather than money. The actual IRS, however, never sends threatening emails and will never request payment via back channels.
A phony email might be compelling, but an entire phony website can be downright convincing. Scammers often send out benign-looking emails asking the recipient to click a link and visit an official IRS website. The website looks authentic, which is why users don’t hesitate to enter login credentials or sensitive information. The website might also impersonate a tax software or accounting firm. These websites are always fake and often contain telltale signs in the form of odd URLs or typo-heavy website copy.
One of the easiest ways for hackers to avoid suspicion is to use personal information — first names, casual greetings, company connections — to make phony emails look legitimate. This information is easy enough to obtain, especially when it’s paired with urgent requests for tax or other financial information. It may be possible to spot the fakes by scrutinizing the address bar or sender information, but an even better approach is to put in place strict protocols for verifying payments in advance. Look for this type of attack to increase as the ocean of consumer data stolen during the Equifax hack begins to make its way through the underworld ecosystem.
An emerging attack form uses traditional phishing tactics to persuade users to download an attached questionnaire. The attachment actually contains ransomware that encrypts the victim’s data until they pay to recover it. The goal is not to extort tax information, but rather to piggyback on the urgency of tax season in order to perpetrate other types of attacks. But the IRS and agencies claiming to work with the IRS rarely, if ever, send email attachments.
Training and education are the best weapons during tax season. Once taxpayers understand how the IRS actually operates and how easy it is to spot the imitators, the overall exposure to threats drops dramatically. When that awareness is paired with tools to help identify, segregate, and eliminate bad emails the issue of tax season security is made largely irrelevant.
For consultations and solutions to protect you through tax season and beyond, contact the team at Zix.