Of the three million respondents to a SonicWALL quiz, only 7.4% answered all of the questions correctly. When asked to determine whether a suspect email was a phishing e-mail or a legitimate email, respondents were wrong 22% of the time.
In addition, quiz results reveal that 1 in 10 people will act on a phishing email even after they have been told it is suspicious; actions include opening the email, clicking on links and even providing personal data at the phisher’s website.
The seasonal rise in phishing threats associated with the April tax season has already begun. As in previous years, the infamous phishing scam typically appears in inboxes masked as a notice to taxpayers that their refund is available.
Phishers use this ploy as an opportunity to gain access to personal identity and account information, ostensibly requested in order for the IRS to deposit the refund to the correct account. While the IRS would never make such a request by email, the “refund” email is ideal bait for scammers.
“Over the years, tax-related phishing emails from parties posing as the IRS or an online tax service requesting bank account information have become more sophisticated,” said Eugene Serafin, email security expert at SonicWALL. “Initially, the IRS spoof emails were plain text with no images. Phishers then began using attachments, and then they added fake IRS logos in addition to text to give the emails the appearance of legitimacy. The best way to protect yourself this tax season from any attempt is to quiz yourself and be aware of all the threats out there.”
While the IRS uses U.S. Postal Service mail exclusively, it is still possible to receive legitimate email regarding your taxes. There are numerous established online filing services, ranging from tax consultants to calculators, that complete and file your tax forms electronically. When you use these services, you are likely to receive legitimate email notifications from them and from the bank acting as the transfer agent to the IRS. The fact that such notifications are commonplace provides the perfect opportunity for phishers to prey on unsuspecting victims by asking for a bank card number “to deposit a refund” or a Social Security number “for identity verification.”
To help taxpayers avoid identity theft during tax season, the SonicWALL Threat Team has outlined several steps to defend against refund-related phishing threats:
- Remember that all official correspondence with the IRS is done through the U.S. Postal Service. The IRS never sends emails asking for any financial, personal or identity information. Do not respond to these types of emails.
- If you use an online tax preparation service, pay close attention to the instructions they provide, such as emails you should expect to receive and the correct procedure for providing important information like the bank account number to which your refund should be deposited. If you need to confirm that a transaction has been completed, either use the tax preparation website or call them directly.
- A tax filing program such as TurboTax will most likely send you an email notification when your taxes are filed, letting you know that your tax forms were accepted or possibly rejected. Do not click on any links in the email. Go back to the tax preparation website and check for any notifications.
- Beware of offers that allow you to get loans on your income tax refund. Though some may be legitimate, this is a notorious model for phishing scams.
- If you have any questions about an email concerning your online tax filing and/or refund from your tax software provider or online filing service, go to the tax service website or contact them by phone.