It’s tax time in the US – time for phishers to bait their hooks!
In fact, phishing schemes have topped this year’s Dirty Dozen list of tax scams from the Internal Revenue Service (IRS).
The IRS saw a huge spike in phishing and malware attacks during the 2016 tax season, and that’s coming on top of the already huge increase it saw at the end of 2015. In February 2016, the tax agency reported a 400% increase in phishing and malware in 2015.
The scams are getting trickier, too. Earlier this month, the IRS reported that scam artists are working hard to confuse taxpayers with ever-refined attacks. So far, the past few weeks have already produced email schemes targeting tax pros, payroll staff, human resources personnel, schools, and average taxpayers.
In early February, the IRS sent out an urgent warning about a new spearphishing scam that wrapped CEO fraud with a W-2 tax form scam, then added a dollop of wire fraud on top.
A W-2 is a US federal tax form, issued by employers, that has a wealth of personal financial information, including taxpayer ID and how much an employee was paid in a year.
IRS Commissioner John Koskinen:
This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.
Besides that dangerous phish, the IRS has put up a warning page about other scams it’s seen recently. In all of them, crooks are using the IRS’s name to try to collect victims’ refunds or file bogus returns.
From the list:
- An email targeting tax professionals, asking them to update their accounts and directing them to a fake website.
- Fake emails purporting to contain an IRS tax bill related to the Affordable Care Act. Generally, the scam involves an email that includes a fraudulent version of CP2000 notices for tax year 2015 as an attachment.
- Increased robocalls, where scammers leave urgent callback requests telling taxpayers to call back to settle their “tax bill.” These fake calls generally claim to be the last warning before legal action is taken. The IRS says the latest twist is IRS impersonators demanding payments on iTunes and other gift cards. Don’t fall for it: there’s no such thing as a tax bill settlement being made via gift card, so consider it a clear sign you’re being scammed.
- Bogus phone calls from IRS impersonators demanding payment for a non-existent tax, the “Federal Student Tax.” The crooks are working on people to get them to wire money immediately to the scammer. If the intended victim doesn’t swallow the bait fast enough, the scammer threatens to report the student to the police.
- A phishing scam targeting Washington DC, Maryland and Virginia residents where the email scammers are citing tax fraud and trying to trick victims into verifying “the last four digits of their social security number” by clicking on a link provided. The email scam even suggests that information from recent data breaches across the nation may be involved.
- Scammers call saying they have your 2016 tax return, and they just need to verify a few details to process it. They’re after sensitive information such as taxpayer IDs, bank numbers or credit cards.
The IRS’s warnings are clearly designed for US citizens, but the advice on how to sidestep the traps are the same for everybody when it comes to phishing and malware scams.
From Koskinen:
- Avoid opening surprise emails or clicking on web links claiming to be from the IRS.
- Don’t be fooled by unexpected emails about big refunds, tax bills or requesting personal information. A big return? Ha. If it sounds too good to be true, it probably is. Besides, that’s not how the IRS communicates with taxpayers.
And from us here at Naked Security:
- Pick proper passwords. Even though strong passwords don’t help if you’re phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.
- Use two-factor authentication whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.
- Consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.
Here are more tips to help you recognize, and steer clear of, phishing links.
Jim
What I want to know is why isn’t there a code attached to SS numbers, like there is with credit card numbers? It’s almost trivial to look up SSNs now, and even if you can’t, there’s only a billion of them, and 300,000,000 actively in use. Crooks have a 30% chance by just guessing.
Ideally, SSNs should have a certificate assigned to them. But, that’s a pie-in-the-sky goal, I think. So, I propose a 5-15 character code (like the 3-character code on credit cards). Then, make it the law that entities (other than the SSN owner) cannot store the two numbers together. (I’m taking the definition of “together” is pretty loosely here.)