Death, taxes, and hacks: How to prevent cyberattacks during tax season

Remember how folks did taxes in the olden days? They’d collect large piles of paper documents, fill out endless pages of forms, stuff a bunch of receipts in a shoebox and – after filing to the IRS – cross their fingers hoping they didn’t forget something that would hold up the processing of the return. (If you’re too young to recall any of this, just trust us – this happened regularly.)

Filing tax returns electronically

Fortunately, times have changed. There’s no need for massive roundups of hardcopies anymore, not when filers fill out and submit everything online. If they want to have copies for their personal record-keeping, they can print or save the filled-in forms (W-2s, 1099s, 1040s, mortgage interest/taxes paid statements, and so on).

Nearly 92 percent of U.S. taxpayers are now opting to electronically file returns. So what could possibly go wrong?

Well, just like death and, of course, taxes, we must accept another certainty in life: if online data or money can be stolen, cybercriminals are going to come up with ways to do it.

After all, as Americans prepare to file, they’re inputting countless lines of highly sensitive data – Social Security numbers, wage statements, IRA earnings, property addresses and bank account information, and so on. Because they do this on browsers, they place themselves at the risk of client-side attacks that inject malicious JavaScript code into websites to skim data and steal information.

Don’t assume you are safe

Neither individual citizen filers or IT decision makers and security professionals at tax preparers and other financial industry businesses can assume that everything is “safe” because of the various password policies and authentication controls in place.

First, no data repository is invulnerable. In July 2020, the U.S. Treasury Department’s Treasury Inspector General for Tax Administration (TIGTA) flagged weaknesses in the IRS’s ability to detect abuse of taxpayer records, noting that “The IRS could not provide an accurate inventory of all applications that store or process taxpayer data and Personally Identifiable Information [PII].”

Of course, government servers are only one of the places tax data resides – our employers, third-party services and we ourselves have copies of it, and can be the source of potential data exposure. When our PII is compromised, it is quickly used to target all layers of United States’ massive tax industry.

In February, the IRS warned of subtle phishing attacks targeting tax preparers, efforts designed to steal Electronic Filing Identification Numbers (EFINs) useful for mass-filing of fraudulent tax returns to pocket illegal refunds at-scale.

Cybercrime is a particularly urgent threat this tax season due to COVID-19 pandemic conditions overwhelming consumers (and their accountants) with overlapping stimulus, unemployment, insurance and other rule changes with plausible tax implications. This blizzard of notifications, web sites and forms sow fatigue and confusion that criminals seek to exploit.

The FBI points to this trend in its latest IC3 Internet Crime Report, by saying that “One of the most prevalent schemes seen during the pandemic has been government impersonators.”

Best practices to prevent cyberattacks during tax season

With these risks in mind, we recommend the following three best practices to safeguard digital tax preparation and filing processes:

Assess your software and online tax reporting/management services. Both professional firms and individuals have embraced the convenience and efficiency of tax software/online services – and for good reason. But you need to ensure that those behind the services maintain strong visibility and control over all code running on their products. This extends to third-party code in particular, which hackers often easily compromise to siphon off customers’ financial details.

For service providers, make sure you understand and protect the entirety of your web application – not just the code that lives on your servers. Your customers enter and transmit an immense amount of private data and sensitive documents during the tax preparation process directly into their web browsers. Make sure the part of your web application that lives in your customer’s web browser is protected from both client-side attacks and potential data leakage, which internal vulnerabilities or supply chain attacks can introduce through vendor code.

Don’t provide any information that isn’t required or satisfy unnecessary requests. The IRS will never ask for your login credentials. Its agents won’t demand immediate payments through a specific method, such as a wire transfer or prepaid debit card. But hackers pose as tax officials during online exchanges and make such requests. Be vigilant and skeptical if you’re asked to do these things, and report phishing attempts and other suspicious activity.

We all know that taxes are unavoidable but getting hit by hackers is preventable. We can’t stop them from targeting the private information contained in digital forms and returns. But by acquiring visibility and control over tax software/online services code and web applications while keeping up to date on phishing schemes, we can make it difficult – if not impossible – for them to compromise anything. And that’s the kind of “returns” we like to see at this time of the year!