Tax season is very profitable for hackers.
Cyber criminals are fond of tax fraud because it is a simple business operation that has high financial rewards.
The crimes committed are “done almost in an assembly line manner,” Jason Glassberg, co-founder of Casaba Security, a Redmond, Washington-based cybersecurity company that specializes in ethical hacking and security program development, told TheStreet.
“You simply fill out as many personal tax filings as you can as early in the season as possible and collect the refunds,” he said. “Ever since the IRS enabled direct deposits, instead of having to physically mail you a refund check to your home address, it became incredibly easy for the scammer to rip off consumers.”
Cyber crime groups have learned that tax season is a real bonanza for cyber crime groups. Their efforts are sophisticated and they don’t need to find a software vulnerability in a web application or tax filing tool in order to pull off these scams, Glassberg said.
“They just social engineer people on email, phone or SMS to get enough personal information to file in their place,” he said. “Or they simply buy the personal identity through the many services out there in the Dark Web.”
Personal Information Can Be Used For Other Fraud
The information that is stolen from a tax return is extremely valuable to hackers since it can be used for financial or medical theft and used or sold for spear phishing, account takeovers, ransomware or to start a cyberattack at your employer, in your place of work, Atif Mushtaq, chief product officer at SlashNext, a Pleasanton, Calif.-based anti-phishing company, told TheStreet.
“Beware of any SMS text, email, or phone call from anyone claiming to be from the IRS,” he said. “Check URLs for the accurate IRS website – https://www.irs.gov. Ensure you type the correct URL into your web browser to avoid typo-squatter websites impersonating the IRS. Protect your mobile devices and computers with anti-phishing and anti-malware protection.”
IRS Never Calls, Texts or Emails Anyone
The IRS does not contact taxpayers by sending an email, text or social media to request personal or financial information.
“One easy rule to remember: never click on links within an email or text message,” Ray Kelly, a fellow at NTT Application Security, a San Jose, Calif.-based provider of application security, told TheStreet. “Even if it’s something you were expecting, it’s always much safer to visit the site directly.”
During tax season consumers might receive calls that claim your social security number was stolen and verification is needed, but these are actually attempts to get information to use in scams or your bank account information to steal your money, Alex Hamerstone, director of advisory solutions for TrustedSec, a Strongsville, Ohio-based cybersecurity company, told TheStreet.
“Live callers will often claim to be the IRS, but the IRS will almost never call you for any reason,” he said. “Scammers will try to scare you and create a sense of urgency. They want you to make a decision right away, because they know the longer you think about it, the more likely you will realize you are being scammed.”
Technology has made it very simple to fake or spoof the phone number that shows up on your caller ID.
“I can’t express enough how easy this spoofing is,” Hamerstone said. “Don’t trust your caller ID.”
Taxpayers should avoid opening suspicious attachments they receive in email or text message.
“The links in phishing emails will lead users to a lookalike domain and ask for users’ login credentials,” he said. “From there hackers will use those credentials to log into the legitimate website and attempt to gain access of the users’ account or sensitive personal information.”
Clues That Should Alarm You
Good email spam filters will help ensure such email scams do not make it to the email inbox, Joseph Carson, chief security scientist and Advisory CISO at Delinea, a Redwood City, Calif.-based provider of privileged access management solutions, told TheStreet.
“If an email does make it into the inbox, then go to the website and call the number to check if it is authentic and do not call the number if provided within the email as, most likely, it is fake also,” he said.
Here are some other clues that the sender is a fraudster. Check the email sender address and not the display name and look for spelling mistakes. Look at the hyperlink addresses by hovering over them to see where they send you, but do not click on the links, Carson said.
“Also check your personal details for accuracy,” he said. “These simple tips can help avoid a cyber security nightmare.”
Instead of using your social security number or individual taxpayer identification number when you are filing your taxes, you can opt to use an Identity Protection Pin from the IRS, which is a six digit number.
Most people have had their personal information compromised because of the multitude of hacks from the databases of retailers and companies, Glassberg said.
The IRS has a special affidavit called the Identity Theft Affidavit or Form 14039 so that consumers can file which notifies them that you are at higher risk of tax identity theft and refund fraud, he said.
Consumers should also try to file their taxes as early in the season as they can and decrease the odds of someone stealing your identity.
“That’s a simple way to lower your risk of being impersonated and defrauded,” Glassberg said.
Never Pay With a Gift Card
The IRS does not threaten taxpayers with jail time or demand that people initiate payment immediately via a specific payment method such as a wire transfer or prepaid debit card.
“Common sense goes a long way here to avoid getting ripped off,” Glassberg said.
There are criminals ripping people off the old-fashioned way by pretending to be tax preparers. They will add illegal deductions often, Hamerstone said.
“This is the one that surprises people, he said. “There are actually fake tax preparers. Some even set up storefronts. They will steal your refund by redirecting it to your bank account, and often will pump up your refund with inappropriate/illegal deductions.”
Both hackers and scammers often leverage fear and urgency.
“Taxes are a perfect chance for scammers to create both,” Hamerstone said. “Remember, the IRS will never call you. They communicate by U.S. mail. And you will never, ever, no matter what have to pay your tax bill with gift cards. Ever. Any time someone is asking you to buy gift cards and send them the codes, it is a scam.”