Why Cybercriminals Love Tax Season

Posted by Sagiss LLC on Wed, Feb, 01, 2017 @ 09:02 AM

tax_criminal-683723-edited.jpgIRS Imposter Scams

Find me a person who enjoys taxes and I'll show you somebody who probably also loves going to the DMV and stepping on Legos. There’s only one thing that could possibly make taxes any worse—and that’s being scammed out of your hard-earned cash by ruthless, depraved criminals (and no, I’m not talking about the IRS).

Unfortunately, this is exactly what happens to thousands of unsuspecting victims each year as cyber-thieves take advantage of the April 15 tax filing deadline to target both taxpayers and tax professionals alike with plunderous phishing emails. Such imposter scams trick users into divulging personal information by luring them to click on seemingly legitimate links within unsolicited emails, directing them to websites that capture usernames, passwords, and other sensitive information. Armed with this knowledge, a criminal can then commit a variety of crimes from identity fraud to financial theft. 

These phony emails, which appear to originate from an official source such as IRS.gov, may seek information related to refunds, filing status, personal information, transcripts or PIN information. For example, some phishing scams urge tax professionals to update their IRS E-service portal information and Electronic Filing Identification Numbers (EFINS) using phony links that captured the victims’ username and password.

Gift Card Fraud

Impersonation Scam Poster 5x8-736821-edited.png

Last April, the US Department of the Treasury issued a warning about fraudulent calls potentially scamming victims into paying taxes with gift cards, including iTunes gift cards and Green Dot Prepaid.

One student fell vicitm to such scamming tactics last year, handing over more than $1500 in iTunes giftcards. Kroger, where the student purchased the gift cards, is working closely with Apple and other experts to find solutions that could help prevent others from getting scammed. 

Apple also reminds us that iTunes gift cards are ONLY good for the following purchases:

  • iTunes Store
  • Apple App Store
  • iBooks Store
  • Apple Music membership

"There's no other instance in which you'll be asked to make a payment with an iTunes Gift Card."

Long-Lining Phishing Attacks

With large paydays looming on the horizon, cyber criminals will continue to slither out of the woodwork to take advantage of the pending tax deadline—and they’re breaking out the big guns this time. No longer content with conventional phishing methods, fraudsters have turned to a fairly new, advanced and highly effective phishing technique called “longlining.”

Typically, security filters recognize mass phishing emails by identifying identical or similar messages originating from a single source and nipping them in the bud before any significant damage can be done.

However, unlike conventional phishing exploits, longlining “hooks”, or email messages, are individualized, highly variable in terms of content, appear to come from various IP addresses, include a variety of subject lines and body content and contain dozens of unique URLs—making them extremely difficult to track. This system of "mass customization" makes it easy for thousands of malicious emails to slip past security barriers straight into the inboxes of unsuspecting users.

Furthermore, the links contained in longlining scams don’t point directly to malicious sites (like in conventional phishing messages) but instead to trusted, legitimate websites that have been compromised by the attackers beforehand. This elaborate process makes for a strikingly effective deception, conning an astounding 10 percent of recipients into clicking on compromised links. What’s worse? The growing use of mobile devices for work-related purposes has provided criminals with even more opportunities to reach victims as nearly 20 percent of these clicks happen “off network.”


IRS Imposter Scams are On the Rise

While tax scams this time of year are nothing new, the IRS has reported an alarming 400 percent surge in phishing and malware incidents in the 2016 tax season alone, requiring taxpayers to be more vigilant than ever.

However, telling what’s real from what’s fake may be simpler than you think. On the IRS website, it states that it will "never initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.” Therefore, any unsolicited email purporting to be from the IRS requesting this type of information can be easily flagged as suspicious until proven otherwise. 

Still, due to the increasingly convincing nature of phishing emails, combined with longlining's ability to bypass security systems, thousands of people fall prey to these types of cons each year, prompting some seriously costly consequences. 

In a similar social-engineering scam, more than 5,000 phone tax scam victims have already collectively lost more than $26.5 million since the beginning of the year (Treasury Inspector General for Tax Administration). Despite the fact that IRS will never contact a taxpayer over the phone, this "phone phishing," where scammers impersonate IRS officials to demand payment over the phone, holds the number one spot on the infamous "Dirty Dozen" list of most dangerous tax scams.

How to Stay Safe This Tax Season

As cyber criminals increasingly up the ante with complex social engineering, gift card, longlining and other fraudulent attacks, the only way to make it through tax season unscathed is to take a proactive approach to protecting your personal information.Learning to identify suspected phishing emails:

  • Visiting antiphishing.org for a list of current phishing attacks
  • Ensuring you have up-to-date firewall and virus/malware protection
  • Making sure to keep up to date and download the latest security patches for your browser
  • Using unique passwords for each of your online accounts                                                  
  • Entering sensitive data on secure websites only—look for “https” addresses
  • Staying mindful of IRS press releases and scam warnings  
  • Encrypting old tax returns and tax records
  • Shredding all tax documents before trashing
  • Not oversharing personal information on social media–criminals can use information about past addresses, a new car, a new home, your children, etc. to target you.

That being said, it’s important to remember that the IRS DOES NOT initiate contact with tax payers via email to request personal or financial information. If you receive an unsolicited email from the IRS or an organization related to the IRS, such as the Electronic Federal Tax Payment System (EFTPS), don’t click on any links until you verify its legitimacy by calling the institution directly. Furthermore, don’t hesitate to report suspicious emails by forwarding them to phishing@irs.gov

While tax season isn't particularly fun for anyone, staying one step ahead of sticky-fingered fraudsters will not only provide peace of mind, but also help you keep your hard earned cash where it belongs–in your pocket.

IRS Impersonation Scam Flyer-980350-edited.png

To learn more about Sagiss’ IT services, give us a call, set up a free IT Consultation, or check out our website--we'd love to hear from you.