Site icon Sophos News

Taxpayers shrug off ID fraud warnings even as attacks rise

Pity the IRS. It’s been strenuously warning us about increased tax fraud all month. A big chunk of taxpayers have responded by yawning.

The IRS saw a huge spike in phishing and malware attacks during the 2016 tax season, which came on top of a 400% increase in phishing and malware in 2015. And earlier in the month, the US tax agency sent out an urgent warning about a new type of tax fraud taco: CEO spearphishing fraud stuffed with W-2 tax form scamming and a dollop of wire fraud on top.

But according to the second annual Tax Season Risk Report from ID theft protection firm CyberScout, a recent survey shows that the public’s not using the security practices we need to protect ourselves from identity theft.

Highlights from the report:

58% of people in the US don’t worry about tax fraud. They should! In November, the IRS said that it had stopped 787,000 confirmed ID theft returns in 2016, totaling more than $4 billion in potential fraud.

Only a minority – 35% – of respondents demand MFA. Multifactor authentication (MFA), or two-factor authentication (2FA), is a good stumbling block for identity thieves. But the majority of respondents said that they’re not requiring that their tax preparers use it, instead leaving the preparers to use a single password to protect clients’ personal information. To read more about the hows and whys of 2FA, check out our Power of Two post.

Only 18% of respondents use an encrypted USB drive. Instead, people are saving important documents like tax worksheets, W-2s, 1099s or 1040s in unencrypted form, while another 38% either store tax documents on their computer’s hard drive or in the cloud, leaving them vulnerable to attack.

More than half – 57% – of consumers file late, giving tax fraudsters time to impersonate them online and steal their refunds.

We’re not locking our mailboxes. 51% of taxpayers who expect a refund check in the mail don’t use a locked mailbox, leaving their checks at risk of theft.

Half of taxpayers don’t know how to evaluate a tax preparer. They’ll choose someone online, or they’ll fail to screen them beforehand, leaving themselves vulnerable to getting ripped off.

Only 48% of taxpayers use online tax services. That’s because 24% of respondents say they don’t trust them. That’s bad, according to the report, which says that it’s a “misperception” to think that online tax services can result in exposure of sensitive information.

I have a bone to pick with that point. History has shown that putting your faith in online tax services doesn’t guarantee information security.

In 2015, Intuit, the makers of the popular TurboTax app, stopped the e-filing of all state tax returns due to a surge in fraudulent filings. The freeze came after several states saw a deluge of phony filings and hence refused to accept the returns. It took five days to clean up the mess before Intuit recommenced state filings.

Utah’s state tax commission had discovered 28 fraud attempts that “originated from data compromised through a third-party commercial tax preparation software process,” as well as 8,000 returns flagged as potentially fraudulent. Eighteen other states saw the same thing.

Intuit wasn’t initially implicated in the leak. At any rate, besides the unspecified third-party commercial tax prep software processes, there are plenty of data leaking sources: data breaches, for one, which are sadly common nowadays.

How to slam the tax scams

Also, because so many tax fraud attempts are coming through phishing attempts, you might want to consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.

Here are more tips to help you recognize, and steer clear of, phishing links.

To read up on the most current tax scams and cyber-attacks, check out this page from the IRS.


Exit mobile version