Whether you filed your taxes last week or last month—or plan to wrap things up for the 2018 tax in the final week before Tax Day 2019—cybersecurity experts have issued several recent bulletins about hackers working hard to steal sensitive information.
On the tax preparer front, the Internal Revenue Service, state tax agencies, and the tax industry continue to highlight new phishing scams that find bad actors posing as potential clients or even the IRS to trick professionals into disclosing sensitive information.
On the consumer side, tax returns continue to represent one of the most in-demand forms of cybercrime: in 2018, the IRS received five to seven reports per week from tax firms that experienced a data breach, with more than 250 reports for the year—a 29% increase over 2017.
Hackers act fast, too, often rushing to file fraudulent returns before legitimate taxpayers can do it themselves. As early as February of this year, the IRS reported that it has already received several fake tax returns that had accurate taxpayer names, addresses, Social Security numbers, and even bank account information for the victims.
Surprisingly, some of those illicit refunds were then directed to the real taxpayers’ bank accounts, with criminals doubling down on their ruse by posing as debt collectors and reaching out to consumers to notify them that the refunds had been sent in error. The victims are then requested to forward the money.
Since these fraudulent returns included the taxpayer’s correct information—all the way down to the right number of dependents—the IRS suspects that the scam originated in the offices of tax professionals. Many of those preparers have fallen victim to phishing scams that load malicious software onto desktops, laptops, networks, and servers, compromising valuable information.
So What Can Tax Preparers and Payers Do to Stay Safe with Tax Day just a Week Away?
CMIT Solutions recommends the following strategies, all of which should be backed by the support and consultation of trusted IT and tax professionals:
That means no filing your tax return (or even working on it and saving the progress) while connected to public Wi-Fi at coffee shops, hotel business centers, airports, or other public places. Make sure any site you connect with has “https” in the URL, that any connection you use is password protected, and that you manually type out links to tax preparation software rather than following links from emails.
This is particularly true if any unusual accommodations are needed, like requests for duplicate W-2 copies, address changes, Social Security numbers, email addresses, or financial information. The recent spike in phishing scams (see below for sample emails) means no valuable data should be transmitted electronically when a phone call or in-person meeting will suffice.
Instead, mail it directly from the post office. Also, never take pictures of sensitive tax information or store them on your mobile device or computer.
These types of services will provide automatic security updates and software patches so you don’t have to worry about evolving scams. In addition, they will keep up with new attempts to steal information and prevent bad actors from compromising your systems.
Make sure everyone uses strong, unique passwords with two-factor authentication and password management where necessary. Never take an email from a familiar source at face value; for example, an email from “IRS e-Services.” If it asks you to open a link or attachment, or includes a threat to close your account, think twice. NEVER click on any link or attachment included in an email that discusses tax information.
In recent days, the IRS has provided these variations of phishing schemes:
- “Have you finished filing your taxes? I want you to help us file our tax return this year as our previous CPA/account passed away. How much will this cost us? Hope to hear from you soon.”
- “Please kindly look into this issue, a friend of mine introduced you to me, regarding the job you did for him on his 2018 tax. I tried to reach you by phone earlier today but it was not connecting, attached is the information needed for my taxes to be filed. If you need any more details please feel free to contact me as soon as possible and also send me your direct telephone number.”
- “I got your details from the directory. I would like you to help me process my tax. Please get back to me ASAP so I can forward my details.”
The IRS also has received recent reports of cybercriminals posing as IRS e-Services, asking tax pros to sign into their accounts and providing a disguised link. The link, however, sends tax pros to a fake e-Services site that steals their usernames and passwords.
Tax practitioners or taxpayers receiving emails from fraudsters posing as the IRS or tax software providers are recommended to go directly to IRS.gov and forward attempted phishing emails to email@example.com. Remember, the IRS does not send unsolicited emails—and your tax preparer shouldn’t either!
With Tax Day just one week away and many filers scrambling to make sure their personal returns are finished for the 2018 tax year, opportunities for scams abound. Want to know about how to enhance cybersecurity and keep your sensitive information safe, around Tax Day and beyond? Contact CMIT Solutions today.