Every year, the U.S. Internal Revenue Service (IRS) releases its “Dirty Dozen” list. This compilation covers some of the most common types of scams that target taxpayers each tax season. It also includes tips by which taxpayers may protect themselves and their identities.
Here are just some of the ploys that the IRS found in the 2018 tax year.
For years, fraudsters have been using phishing schemes to steal taxpayers’ personal information. But they’re always coming up with new attacks. In one variation detected by the IRS during the 2018 tax year, criminals steal a taxpayer’s personal information to file a fake tax return and direct deposit the tax refunds into the victim’s own bank account. They then masquerade as the IRS or a collection agency in order to gain access to those funds.
Phishers don’t limit their campaigns to taxpayers, either. They also conducted business email compromise (BEC) scams against tax professionals, payroll offices and HR departments. In those attacks, bad actors use social engineering techniques to steal access to these professionals’ email accounts. They then abused this access to make off with organizations’ W-2 information and/or customers’ tax documents.
Phishing doesn’t just take place on computers. The IRS confirmed this fact when it observed a surge of phone scams, also known as “voice phishing” (vishing) attacks, in the 2018 tax year.
In many of these scams, digital attackers use a robocall to threaten individuals with arrest or license revocation unless they pay a bogus tax bill. To lend a sense of legitimacy to their tricks, these malicious individuals commonly use targets’ tax information and spoofed phone numbers to trick them into thinking they’re the IRS or an actual collection agency. All in an attempt to steal innocent people’s hard-earned money.
Attacks designed to commit identity theft almost always follow on the heels of another malevolent act. In some cases, bad actors use vishing, BEC scams, phishing attacks or other campaigns to steal individuals’ personal information. In other scenarios, they profit on the work of other malefactors and obtain this information from sensitive data breaches.
To successfully commit identity theft, an attacker must steal one of two particular pieces of information: an individual’s Social Security Number (SSN) or their individual Taxpayer Identification Number (TIN). They’ll then use this data to file a fraudulent tax return so that they can claim a refund while denying the taxpayer what’s legally theirs.
FRAUDULENT TAX RETURN PREPARERS
Software like TurboTax enable taxpayers to file their taxes on their own. For a variety of reasons, however, many people aren’t comfortable with this option. They therefore decide to enlist the help of a tax professional in filing their taxes.
A tax professional holds a sensitive role for taxpayers in that the latter must provide the former with all of their personal data including their Social Security Numbers. Bad actors realize this, which is why some decide to pose as tax professionals so that they can steal unsuspecting taxpayers’ personal information and commit identity theft. They may also mislead taxpayers who don’t know the law into taking credits or deductions to which their clients aren’t entitled in order to increase their associated fees.
FAKE CHARITABLE ORGANIZATIONS
Digital attackers have many more disguises than just the IRS, collection agencies and tax professionals during tax season. Indeed, some masquerade as charitable organizations. Their reasoning for doing so is to lure victims into making ineligible donations. They may also attempt to steal their Social Security Numbers and other data in order to commit identity theft.
Bad actors don’t stop there, however. Many use the guise of a charitable organization to prey upon victims of natural disasters and emergencies. In those attacks, they may also pose as the IRS to help victims file casualty loss claims and get tax refunds.
HOW TO STAY SAFE THIS TAX SEASON
Taxpayers can protect themselves against the scams identified above by exercising caution around suspicious links and email attachments, never providing sensitive information to anyone over the phone, choosing a reputable tax professional who’s available all year and researching a charitable organization carefully before making a donation. In turn, organizations can further protect their employees against these types of ruses by investing in a multi-layered email security solution. This tool should be capable of analyzing a suspicious email according to its IP address, URLs, filters and other attributes.