Between December 2016 and February 2017, IBM X-Force researchers saw a 6,000 percent increase in tax-related spam emails. The researchers see this increase and other factors as evidence that cybercriminals are not slowing down their attacks in the days leading up to Tax Day 2017.
Fake IRS email spam
IBM’s analysis found that historically 54 million of Americans who file tax returns do so after April 1. This year’s extended deadline of Tuesday, April 18, 2017 gives cybercriminals even more runway to execute their tax fraud schemes. It’s especially crucial for consumers to stay vigilant in protecting their online identities over the next month.
Top techniques used by cybercriminals
Seasonal phishing: Criminals use the topical time of tax season to entice consumers to open emails and files which have malware embedded in then which steals consumer’s passwords and other financial information. The email might look like they are coming from the IRS but they are not it’s the crooks posing as the IRS.
Who’s the boss? Crooks send a business’s accounting staff an email that appears to have come from an executive asking for employee W-2 information. The emails look legitimate so unsuspecting employees open them, answer the questions and send sensitive information to the hackers.
Turbo scammed: Dozens of tax software companies are competing for consumer’s business this time of year and send legitimate marketing emails to entice you to file with them. Cybercriminals have recreated the look and feel of those emails and are redirecting unsuspecting consumers to fraudulent websites where they steal log in details and ultimately enough info to file a return.
IBM X-Force has also mined the Dark Web and identified criminals selling W-2s for around $50 per document, thus enabling them to file false returns (and collecting the associated refunds) before an individual has had an opportunity to rightfully file. As a result, the longer a tax payer waits to file a tax return, the more they are potentially susceptible to this scam. In 2016, it was reported that the IRS paid out approximately $5.8 billion in fraudulent refunds.
“Today’s online fraudsters are savvy, scrappy, well-connected, and extremely motivated to go where the money is,” said Limor Kessem, Executive Security Advisor, IBM Security. “It’s inevitable for our researchers to observe spam campaign surges timed with topical events such as the Olympics, Cyber Monday or the Super Bowl. Consumers and businesses should be hyper vigilant during these key periods, and implement security best practices year round to successfully side step many of the tactics and traps regularly used by malicious hackers.”
Fraudulent W-8BEN email
Tax season security tips
Don’t delay, file right away: Last year, 54 million Americans filed after April, waiting until the last minute to file. File your taxes as soon as you receive your W-2 from your employer. The longer you wait, the more opportunity a fraudster has to file on your behalf.
Sign up for a pin from the IRS: The IRS IP PIN is a six-digit number assigned to eligible taxpayers to help prevent the misuse of their Social Security number on fraudulent tax returns.
Take advantage of free credit monitoring: Most breached organizations now offer free credit monitoring services – consumers should plan to take advantage for the maximum time allotted.
Be vigilant with your inbox: The IRS will never initiate contact with taxpayers by email, phone, text or social media to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
Be aware of spoofing emails: Scammers often send spoof emails from a target organizations’ CEO, requesting all employee W-2 information from human resources and accounting departments. Don’t fall for it, pick up the phone and call them to authenticate the request.
Avoid clicking on email links from tax vendors: If you intend to self-file online, access your vendor’s website directly to ensure you’re accessing the trusted site.
Avoid password reuse: Especially when filing your taxes online, make sure to avoid using a password you’ve used for other websites.
Report it: If you suspect a phishing email, or a fake website purporting to be a tax authority’s site, report it by sending it to email@example.com.