As seen on Information Security Buzz...
As more and more Americans continue to turn to technology to file their taxes, there is — as with virtually all of today’s connectivity-driven convenience tools — an undercurrent of risk. But — as with other convenience tools — that risk is doing nothing to deter the use of e-filing methods. According to eFile, of the more than 135 million tax returns filed for the 2016 tax year, 92% were filed electronically. The IRS website notes a slight uptick over that rate so far this year; through March 16, more than 93% of the nearly 78 million returns received for the 2017 tax year were filed electronically by either individuals or tax preparers (an increase over the same time last year).
Still, in defense of consumers and tax professionals, the IRS itself has encouraged the use of e-filing channels with the bait of faster refunds. This is no doubt music to cybercriminals’ ears as it presents additional opportunities to use sensitive personally identifiable information (PII) about filers — including Social Security Numbers, PIN numbers, and financial and tax data — to their advantage. For those unlucky enough to fall victim to tax fraud, the outcomes include identity theft and stolen tax refunds. And with average refunds last year (and so far this year) logging in at more than $2,900, the ramifications of falling victim would be devastating to many filers.
Fortunately, there are several ways taxpayers can keep a keen eye for vicious attacks and tricks aimed at obtaining sensitive information. Share these tips with your end users (and even family and friends) to help prevent tax-related fraud:
Do not act on unsolicited messages asking for sensitive information
The IRS website states that the agency will not “initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial information.” This policy is likely to be shared by all reputable tax preparers and financial bodies as well (and, frankly, any upstanding company). Technology users should keep in mind that phishing attacks and malicious websites often mimic the logos and design of trusted organizations — and that these tactics often work.
If there is any questions about the legitimacy of a message, do not click links, download files, or reply with information. Instead, verify through an independent channel (for example, a known, confirmed website or phone number rather than information contained within the message itself) and only reveal sensitive data to trusted sources.
Beware of unsolicited phone calls and letters as well
Phone calls and letters have a more personal feel that email — something that social engineers use to their advantage. Cybercriminals don’t just operate online; they apply phishing techniques in letters and over the phone in an attempt to lure their targets into acting in haste and turning over sensitive data.
The IRS website offers good advice for spotting impersonators and other scams. As with electronic communications, it’s critical to verify the validity of any requests for tax, personal, or financial data that come via phone or mail.
Keep emotions in check
In order for a social engineering attack to be successful, the target must take the bait — and attackers do their very best to ensure that will happen. As such, they deliberately play on human emotions in order to solicit a response. At tax time, it’s very common for scammers to use scare tactics (like warnings of lost or delayed returns, claims of account compromise, and even threats of arrest or legal action) and promises of accelerated access to funds to spur taxpayers into making bad decisions.
Any communication — email, text message, phone call, or letter — that triggers an elevated emotional reaction — fear, excitement, curiosity, etc. — should be regarded with suspicion and be filed under V for Verify.
Stay alert at work and at home
Tax-related scams can hit consumers, tax professionals, and corporations alike. Individuals who work in accounting and HR roles should be particularly wary of any requests for W-2 data or other sensitive data for fellow employees. Cybercriminals craft scams like this in order to obtain a treasure trove of information via a single attack.
Don’t take attacks lying down
Take action on suspicious communications. The IRS provides guidelines for reporting IRS-related issues, and many companies solicit reports of potentially fraudulent activities that falsely represent their brands. For suspected attacks that happen at work, employees should follow their organization’s process for alerting infosec response teams.