If it’s too good to be true, it most likely is. Tax season – between January 1 to April 15 – seems to bring out the most deceiving and cleverest of cybercriminals. They’re a creative bunch. Often times they pose as someone you know – or an institution you use – and offer an easy “fix” to a problem you have in an official-sounding way.
But it’s all a decoy.
Unfortunately, thousands of people have lost millions of dollars and their personal information to tax scams using regular mail, telephone, or email.
Tried-and-true tax scams:
Impersonating emails: A scammer sends an email impersonating the IRS (the emails often reference the name “IRS Online”) and includes a malware-laden attachment (often titled “IRS Tax Transcript”) to get users to click on and open the attachment. Once open, the malware infects their computer and network.
Ghosting: A ghost tax preparer charges clients to prepare a tax return but does not have a preparer tax identification number (PTIN) with the IRS. They can do more damage than just violate IRS regulations. When the IRS find discrepancies and comes knocking, the ghost preparer is nowhere to be found. Guess who’s left to take responsibility for any errors or omissions? The taxpayer.
Naturally disastrous: Some scammers impersonate charities (perhaps following a recent natural disaster) to get money or private information from citizens. They use fake website names similar to real charity names, claim to work for or on behalf of the IRS, or create their own fake charity.
Old phone scam, new twist: Fraudsters use telephone numbers that mimic IRS Taxpayer Assistance Centers (TACs) to trick taxpayers into paying non-existent tax bills. Scam artists have programmed their computers to display the TAC telephone number, which appears on a taxpayer’s Caller ID when the call is made.
The W-2 identity theft scam: Scammers target those with finance-related roles in the professional sector. Phony emails claim to be from a boss, a co-worker, or a payroll provider, requesting the data one would find on a W-2, including names, social security numbers, home addresses, and salaries.
Even the most careful individuals can fall prey to devious tactics. How? By socially engineering them to play on your deeper subconscious instincts without realizing it. Common tricks include:
Messages written in a way that quickly attracts attention. Specific information is provided to pique anyone’s curiosity – just enough to click on a link in order to learn more.
Implied sense of urgency in order to trick people into disclosing sensitive data to resolve a situation that could get worse without the victim’s input.
Shortened URLs or embedded links used to redirect victims to a malicious site that could exploit usernames and passcodes. Other cybercriminals clone legitimate websites using URLs that also seem legitimate.
Deceptive subject lines written to entice a recipient to believe that the email came from a trusted source. The sender’s address is forged or it spoofs the identity of an organization. Brand assets such as texts, logos, images, and styles are copied to make a website or email template appear genuine.
It seems easy to recognize or avoid these tricks; but in hyper-busy and distracted moments, we are all susceptible. During phishing season, it’s important to stay hypervigilant, especially with emails.
Cybercriminals pose as a person or organization the taxpayer trusts or recognizes. They may hack an email account and send mass emails under another person’s name. They may pose as a bank, credit card company, tax software provider or government agency.
Phishing schemes have become such a problem that the IRS places phishing schemes at the top of its “Dirty Dozen” list of tax scams.
But would you know how to spot a phishing scam when faced with one? Here are 7 tips (and one bonus tip!) that might save you from falling victim:
Look at the return email address carefully. The easiest phonies to identify are the ones where the email address has nothing to do with the company it is claiming to be. Look at the return email address carefully for misspellings, URLs that do not end in .com.
Look but do not click, download, or reply. If the email seems to be coming from a person or institution you know, yet you still smell something phishy, do not click any links, download any attachments, or even reply to that email. Instead, contact those entities through a separate channel and ask if the email came from them.
Analyze the greeting. Are you addressed as some vague “valued customer”? If so, watch out – when it comes to sensitive business, like your taxes, legitimate businesses will often use a personal salutation with your first and last name.
Beware of urgent or threatening language in the subject line. Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or “unpaid bills will be reported to IRS”.
Don’t be fooled by unexpected emails about big refunds, tax bills or requesting personal information. That’s not how the IRS communicates with taxpayers. Remember, the IRS sends official business via snail mail. And only snail mail. They don’t initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial information.
Delete suspicious emails. Get rid of them right away. Don’t let them stay there to be mistakenly opened in the future.
Use strong passwords. Keep your own security as tight as possible with strong passwords that are each unique to their own accounts. And use 2 factor authentication when it is available.
Bonus tip: Use client portals whenever possible. As a preventative measure, keep all your data as private as possible. Use direct client portals with your accountant if they offer it. And remember, nothing beats a VPN when it comes to preserving privacy and encrypting your internet connection when you are uploading your data.
You can also download and install a good antivirus, like Avast Free Antivirus for consumers or our business-grade endpoint protection Avast Business Antivirus Products. All of these will alert you to any bad files trying to worm their way into your system or your clients’ systems.
Train yourself and your clients to recognize the signs of a phishing scam and to not be fooled. It’s important year-round, but super-important at least until tax day.