Phish in a Barrel: The Scams to Beware of This Tax Season
Tax season is phishing season for some of the world’s most unscrupulous people. When hardworking Americans are neck-deep in paperwork and fearful of Uncle Sam, scammers know it’s prime time for stealing identities and sending fraudulent tax returns. They’re phishing in a barrel with hundreds of millions of vulnerable targets.
Phishing is the act of stealing sensitive information by pretending to be someone you’re not. Like actual fishermen, phishers dupe victims into revealing information by using bait. Intelligent people fall for it all the time. Indeed, the security company RSA estimates that, worldwide, phishing attacks cost organizations $4.5 billion in losses in 2014.
Tax season is dangerous because it’s a time when people routinely exchange sensitive information with accountants, the IRS, and state tax agencies. They typically do so under pressure of time, focusing on the request itself, but not the details surrounding the request.
Unsurprisingly, tax scammers tend to impersonate those three groups, as you can see on the IRS’s running list of current Tax Scams/Consumer Alerts.
3 Types of Common Tax Scams
To prevent tax season scams, we need to first understand how they work. We can split them up into three types:
1.Fraudulent return scams. Scammers entice you to share your Social Security number so they can submit a counterfeit return and get a check from the government. Given their nature, these attacks have to happen early in tax season – in January and February – before most people file returns.
2. Identity theft scams. These schemes target all your personal information, including your Social Security number, credit cards, bank account information, and anything else that could be used to impersonate you.
3.Malicious penetration. This is when the attacker hijacks your computer system. For example, an attacker may insert viruses, track your passwords, or lock up your computer and demand payment of a ransom.
In most types of scams, email is the most common channel of attack. Scammers create an email template that looks just like the real ones used by US tax agencies. These phishing emails try to convince you to click on a link.
In some cases, this link will download malware (e.g., a virus) that enables the attackers to intercept communications or steal information from your computer. In other cases, that link leads to an official-looking website where you’ll be asked to enter sensitive information. That web page could be prepopulated with public information, like your name, address, and phone number, to convince you that it’s legitimate.
Finally, the email may attempt to extort a payment. It will include what looks like an official assessment, detailing what you owe the tax agency. Out of fear, some recipients will cut a check or submit the payment online. To create urgency, the scammer may say you owe $5,000, but the government will accept $3,000 if you pay within an allotted time period.
6 Signs of a Scam
So, how do you defend against these attacks? Besides moving to a country that doesn’t tax citizens or petitioning Congress to cancel taxes, you have a few options. The key is to be vigilant and then take action when you see these specific warning signs.
1. Be skeptical of all attachments. If you use e-fax, for instance, and your system always sends PDFs, an e-fax with any other file type is a sign of danger. An unfamiliar or unusual file type is another red flag. No tax email should contain .EXE, .MSI, or zip files.
2.English-language mistakes are sure signs of trouble. While scammers are more sophisticated than in the past, many still send emails with strange syntax and grammar.
3. Whenever an email asks you to left-click a link, stop. Right-click the link first and examine the URL. Where will it take you? If you see a foreign extension, like .cn (China) or .ru (Russia), that email isn’t from a US tax agency. In borderline cases, paste the URL into Google’s search engine box (not the URL box). See what you dig up before you click.
4. US tax collectors can be aggressive, but rarely do they send demands via email. Scammers understand this and have employed a few old-school phishing techniques. If someone calls you and demands a tax payment, request a fax or letter with his credentials and a breakdown of what is owed and why. A tax official will comply. A scammer will cajole you into paying over the phone. If the person asks, “What’s your address?” that’s another sign of fraud – your address is on your tax return, which the official should have handy.
5. If you receive snail mail that’s suspect, Google the address where it asks you to send a payment. Is it the address for a real tax agency?
6. Any demand for payment via a bank account, credit card, or wire transfer should raise alarms. And, finally, if the caller threatens to send the police because you refuse to pay, it’s not a real tax official. Though tax officials can be belligerent, they don’t do that.
As US taxpayers, we are all phish in this barrel. We are no more or less safe than our neighbors. We must be vigilant, knowing that scammers have had ample opportunity to test and refine their tactics. Treat every tax email, call, and letter with the skepticism it is due.