Whether you’re paying your own taxes or working as a professional tax preparer this filing season, cybersecurity experts have issued several recent bulletins about hackers working hard to steal sensitive information.
On the tax preparer front, the Internal Revenue Service, state tax agencies, and the tax industry revealed a new round of phishing emails with bad actors posing as potential clients or even the IRS to trick professionals into disclosing sensitive information.
On the consumer side, tax returns continue to represent one of the most in-demand forms of cybercrime: in 2017, the number of tax-related data breaches rose by 44% over 2016, according to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center. Experts expect that number to jump again in 2018, with hackers eager to file fraudulent returns before legitimate taxpayers can do it themselves.
Even as early as February, the IRS reports that it has already received several fake tax returns that had accurate taxpayer names, addresses, Social Security numbers, and even bank account information for the victims.
Surprisingly, some of those illicit refunds were then directed to the real taxpayers’ bank accounts, with criminals then posing as debt collectors and reaching out to consumers to notify them that the refunds had been sent in error. The victims are then requested to forward the money on.
Since these fraudulent returns included the taxpayer’s correct information — all the way down to the right number of dependents — the IRS suspects that the scam originated in the offices of tax professionals. Many of those preparers have fallen victim to phishing scams that load malicious software onto desktops, laptops, networks, and servers, compromising valuable information.
So what can tax preparers and payers do to stay safe this filing season? CMIT Solutions recommends the following strategies, all of which should be backed by the support and consultation of trusted IT and tax professionals:
1. If you file electronically, access an online tax filing service on a trusted, secure Internet connection.
That means no filing your tax return (or even working on it and saving the progress) while connected to public Wi-Fi at coffee shops, hotel business centers, airports, or other public places. Make sure any site you connect with has “https” in the URL, that any connection you use is password protected, and that you manually type out links to tax preparation software rather than following links from emails.
2. If you work as a tax professional, try to avoid communicating with potential or existing clients solely through email.
This is particularly true if any unusual accommodations are needed, like requests for duplicate W-2 copies, address changes, Social Security numbers, email addresses, or financial information. The recent spike in phishing scams (see below for sample emails) means no valuable data should be transmitted electronically when a phone call or in-person meeting will suffice.
3. If you’re mailing a paper copy of your return, never put it in an outgoing mailbox that can be accessed by someone else.
Instead, mail it directly from the post office. Also, never take pictures of sensitive tax information or store them on your mobile device or computer.
4. Implement proactive monitoring and maintenance provided by a trusted IT partner to help defend against malware, viruses, and known phishing sites.
These types of services will provide automatic security updates and software patches so you don’t have to worry about evolving scams. In addition, they will keep up with new attempts to steal information and prevent bad actors from compromising your systems.
5. Educate all employees about phishing scams as the tax filing deadline gets closer.
Make sure everyone uses strong, unique passwords with two-factor authentication and password management where necessary. Never take an email from a familiar source at face value; for example, an email from “IRS e-Services.” If it asks you to open a link or attachment, or includes a threat to close your account, think twice. NEVER click on any link or attachment included in an email that discusses tax information.
In recent days, the IRS has provided these early variations of phishing schemes:
- “Happy new year to you and yours. I want you to help us file our tax return this year as our previous CPA/account passed away in October. How much will this cost us? Hope to hear from you soon.”
- “Please kindly look into this issue, a friend of mine introduced you to me, regarding the job you did for him on his 2017 tax. I tried to reach you by phone earlier today but it was not connecting, attach is my information needed for my tax to be filed if you need any more details please feel free to contact me as soon as possible and also send me your direct telephone number.”
- “I got your details from the directory. I would like you to help me process my tax. Please get back to me ASAP so I can forward my details.”
The IRS also has received recent reports of cybercriminals posing as IRS e-Services, asking tax pros to sign into their accounts and providing a disguised link. The link, however, sends tax pros to a fake e-Services site that steals their usernames and passwords.
Tax practitioners or taxpayers receiving emails from fraudsters posing as the IRS or tax software providers are recommended to go directly to IRS.gov and forward attempted phishing emails to firstname.lastname@example.org. Remember, the IRS does not send unsolicited emails — and your tax prepare shouldn’t either!
Want to know more this tax season about how to enhance cybersecurity and keep your sensitive information safe? Contact CMIT Solutions today.