Tax season is well underway, making it one of the most popular times for individuals to become victims of scamming efforts and companies and accounting firms to experience data breaches. According to the IRS, tax refund fraud is expected to soar this tax season, hitting $21 billion this year from just $6.5 billion two years ago.
But what makes tax season so popular for people to become victims of scamming efforts? Hackers see it as a prime opportunity to socially engineer victims due to the nature of tax season itself – people are expecting money back on their returns.
Additionally, people are filling out forms, either by paper or online, which contain sensitive information, such as Social Security numbers, bank numbers, and more. This gold mine of personally identifiable information (PII) to steal and sell in the black market yields a high return for hackers.
Recent Breaches In January, TaxAct reported about 450 customers may have had personal and tax return information stolen by cybercriminals. More recently, TaxSlayer reported 8,000 of its customers’ personal information may have been compromised. Both vendors claim that usernames and passwords that were used to compromise customer accounts were taken from a third-party vendor.
Best Practices Companies like TaxAct and TaxSlayer are gold mines for PII because they often contain names and addresses, Social Security numbers, bank account information, and other data contained on tax returns. Vendors need to be conducting regular security audits of their systems, including, but not limited to, penetration testing. They need to perform code audits on the software they are shipping, whether it is downloadable or on the web, looking for vulnerabilities well before the hackers do. When they house this much PII, they take on a greater responsibility of protecting data.
Just as important, companies need to make sure they are educating their users on best practices for both avoiding a breach and handling one. Employees should be trained on how to spot these types of attacks. Additionally, companies should have a strategic plan already in place in the event that a breach happens.
Unfortunately, consumers are at the mercy of the vendor so there’s not much one can do to prevent their data from being stolen. However, at the very least, here are some proactive tips for taxpayers:
Utilize a credit-monitoring service.
Be cautious about what you are clicking on and downloading. During tax season, you might receive a fake email purporting to be from the IRS asking you to fill out a form online with your PII, or to download and run an attachment that contains malware.
Ensure usernames and passwords are not the same for different accounts (e.g., your login for your Chase bank account should not be the same login for your Wells Fargo mortgage account, etc.).
Make sure your computer is patched by running Windows Update.
Make sure your computer is running an antivirus application and that it is up-to-date.
Be aware if you owe money on your tax refund.
Use a trusted, reputable tax professional.
Turn in any questionable activity to the IRS or your accountant.
Unfortunately, these scams won’t go away. We’ve seen them in prior years, and we will continue to see them in the future. Companies and individuals need to be more proactive in the ongoing battle against data breaches and scams.
Dodi Glenn is vice president of cybersecurity at PC Pitstop. He has more than 10 years of experience in the cybersecurity industry, specializing in security risk assessment, programming, firewalls, malware/targeted attacks, antivirus, and more.