March 17, 2020 By Jasmine Henry 8 min read

The tax season deadline in the U.S. is April 15, 2020, and that means scammers are officially on the prowl for unsuspecting tax fraud victims. Attackers are utilizing both time-tested and new techniques to collect tax information and personal data from victims and target individual and corporate accounts.

No one is immune from tax season risks, and most of us share a healthy respect for the Internal Revenue Service (IRS). Scammers rely on fear and stress to coerce individuals and employees into making same-day tax payments or releasing sensitive information. Everyone’s at risk of tax identity theft and social engineering fraud, but financial institutions need to be on particularly high alert for social engineering, vulnerabilities and ransomware attacks.

The IRS has joined forces with investigators and fraud experts to crack down on scams. Each year, a list of “dirty dozen” tax fraud trends is released to educate consumers. Luckily, these efforts have paid off, and some common fraud schemes from prior years are fading away. That doesn’t mean criminals are going anywhere, however. Instead, they’re evolving to stay one step ahead.

Here’s what to look for during the 2020 tax season and some tips for protecting against fraud for both individuals and businesses.

Tax ID Theft

Identity theft happens year-round. Still, professional scammers see tax season as a chance for massive windfalls using stolen personally identifiable information (PII). In 2018, the IRS reported that 649,000 returns were confirmed as identity fraud. These fake returns were attempting to collect $3.1 billion in tax return funds.

Threat actors aren’t picky about how they steal W-2s and PII to file fraudulent returns using consumer identities. Data is stolen from third-party breaches, social engineering schemes or directly from financial institutions. In other cases, cybercriminals will hack individual e-filing accounts to update bank account information and reroute direct deposits.

Fraudsters usually e-file fake returns as early as possible to make sure refunds are processed close to January 27. Often, victims discover the issue much later in the season when they e-file a return and discover their taxes were rejected due to a duplicate Social Security number.

W-2 Scams

As soon as Jan. 1 rolls around, it’s officially the season for W-2 fraud scams. Sophisticated social engineering scams are targeting payroll offices to request employee W-2 information. According to the IRS, a scammer may pose as a CEO or another person with authority to request a copy of all employee W-2 forms. Spoofed emails often trick payroll employees into disclosing an entire company’s W-2 data, which fuels identity theft and tax fraud.

Sophisticated Malware

Financial services, payroll and tax preparer firms are at particularly high risk of being victimized by sophisticated phishing scams. In many cases, the latest batch of social engineering spears are the byproduct of significant effort and reconnaissance on social media. Threat actors may invest significant time and effort into researching an individual’s job title, characteristics and writing style to convincingly impersonate an executive.

Social engineering has evolved significantly from the “long-lost relative” emails of the early 2000s. It’s hard for individuals to identify the latest batch of phishing and whaling scams as a security risk. According to ID theft expert Adam Levin, many phishing scams contain authentic-looking email signatures and well-written content. There are rarely tell-tale grammatical errors, and many impersonators are experts at emulating writing tone.

“Often, the only way to tell something is amiss is by looking at the URL — but even that can be misleading,” said Levin to MSN.

Uncertified Tax Preparers

The vast majority of tax preparation services are legitimate providers, but a minority are tied to refund fraud and identity theft, according to the IRS. Uncertified tax preparers are a risk to individuals, since tax payers are ultimately responsible for the accuracy of their returns. Less commonly, tax preparers are trying to steal your return by putting their own account details in the direct deposit field.

Be wary of anyone who promises far larger returns than you can achieve using a top preparation service or filing method, especially if they’re advertising their business on a roadside sign or working out of a home office or coffee shop. Avoid working with anyone who won’t put their Preparer Tax Identification Number (PTIN) on your return.

Tax Transcript Scams

Individuals at work and home should be wary of any email communications that claim to be from “IRS Online” or major tax preparation services. The Tax Transcript scam is often heralded by an attachment labeled “Tax Account Transcript.”

These emails are the work of identity thieves and tax scammers who are trying to trick users into handing over their passwords or “verifying” PII. The attachments contain malware or ransomware instead of a tax transcript.

Financial Services Targets

In other cases, sophisticated hackers target personal information on the computer systems of tax preparer services to steal PII or tax refunds. In some cases, scammers have even managed to change refund account information to receive the victim’s direct deposit, according to Andy Phillips of H&R Block.

“If a fraudster is able to hack into a tax preparer’s network, they may be able to steal personal information of all clients that have filed with that preparer,” says Phillips.

Robocalls

The number of robocall scam tactics reported to the U.S. Federal Trade Commission (FTC) is at an all-time high. American consumers got 58.5 billion robocalls last year, according to Forbes — or 44 percent of all calls to consumer phone numbers, according to a press release.

When robocalls are coupled with public anxieties about the IRS and call origin spoofing tactics, there’s concern.

The latest batch of texts, robocalls and emails may ask tax payers to “confirm their information.” Others may alert individuals to suspicious account activity. These are all common characteristics of phishing and vishing scams for ID tax fraud or other schemes.

The tax return filing deadline typically sees the single highest-volume day for reported robocalls all year. Consumers and businesses should prepare for a spike in call volumes as the 2020 deadline of Wednesday, April 15 approaches.

Tips for Protecting Against Fraud

Consumers and organizations in all industries are at risk of tax fraud and scam attempts this season. No individual or enterprise is immune to phishing, social engineering, ID theft or other tactics, techniques and procedures (TTPs).

Consumers are at the highest risk of being scammed by robocalls, vishing or phishing if they are elderly or speak another language aside from English. Ransomware and hacking attempts surrounding personal and business tax are likely to target businesses with W-2 or payroll data, tax returns or consumer PII.

Be Wary of Phone Calls

The IRS doesn’t call consumers or businesses to collect same-day tax payments. They’re relatively old-fashioned in the sense that they always initiate contact through a mailed letter.

IRS employees don’t make phone calls to collect on tax balances or tell you they’re doing an audit, and the IRS doesn’t use email. Representatives from the IRS might make a rare on-site visit, but only after several letters have been sent.

Any phone call that is supposedly from the IRS should be treated with extreme caution even if the caller ID says “IRS.” It’s nearly guaranteed to be a social engineering actor calling with a spoofed number.

Avoid Urgency

Threat actors prey on human emotions by creating a false sense of urgency and fear. They may threaten to “cancel” an individual’s Social Security number or suspend a driver’s license, according to AARP. In other cases, fraudsters frighten victims by threatening to get local law enforcement or immigration involved if a same-day payment isn’t made.

The IRS and Social Security Administration (SSA) don’t revoke Social Security numbers for any reason. Driver’s licenses cannot be revoked due to a tax balance. Making a same-day payment to avoid immigration issues or jail time is likely a mistake, especially if you’re paying a caller via gift card, wire transfer or cryptocurrency. Report any suspicious calls or emails directly to the appropriate authority, including the SSA, IRS or FTC.

Verify Caller Identity

The best way to avoid being pulled into a fraud scheme or social engineering trap is to verify information and identity every time. Any outreach during tax season could be part of a fraud scheme, including phone calls, emails and text messages.

Asking for an IRS employee ID number, tax preparer PTIN or other verification over the phone isn’t enough — fraudsters are usually prepared to answer this question with a fabricated or stolen ID number. Be prepared to call back to verify a caller’s identity with your bank or tax prep service. Always log into financial accounts on an updated web browser or an official mobile application on a secure network connection.

Verify Tax Preparer Identity

Around 56 percent of individuals use tax preparer services, according to the IRS. Unqualified preparers are relatively rare, but they often promise unusually high returns. These people may also advertise using unconventional, shady tactics like roadside sides, online directories or aggressive outreach.

The IRS offers an up-to-date online directory of credentialed tax preparer professionals where you can search by last name, state or proximity to your location.

Beware of Whaling

Requests for tax payments, W-2 data or tax return details should be approached with caution at home and at work. Remember, social engineering scams prey on employees with access to sensitive information. Everyone with financial or data access is at risk of being targeted at work.

Individuals in the workplace should always verify the identity and authenticity of a request for funds or data. Cybersecurity pros have a responsibility to educate colleagues and, more importantly, to change processes to limit risk. Policies should mandate the verification of data or money requests before employees are able to send money or PII.

Understand Payment Methods

Tax payments are made online, and the IRS will never demand payment in the form of an iTunes gift card or cryptocurrency. Same-day requests for a gift card code, bitcoin or wire transfers are all hallmarks of scammers.

Report ID Theft

For many taxpayers, the first sign of tax fraud is a rejected e-filed tax return due to a “duplicate Social Security number.” This can signal that a malicious actor has already filed a return with your details. Take action immediately by using Form 14039 to alert the IRS that you’re a victim of ID theft.

For businesses, the first sign that someone has attempted to gain access to corporate tax accounts is generally a lack of communication. If you aren’t receiving letters about your taxes, a fraudster may have changed your mailing address info with your financial services provider or the IRS.

Make an Incident Response Plan

Organizations in all industries should be prepared for ransomware and other cybersecurity risks, especially businesses in financial services, payroll or tax-preparing sectors. An incident response plan is a necessity, as is backing up sensitive data in multiple secondary locations to ensure business continuity if you’re hit.

“If you have the word ‘tax’ in your domain name, you’re a target this year,” according to Infosecurity Magazine. “And while the tax-themed email attacks hit businesses in all sectors, we also saw financial firms and construction industries targeted disproportionately.”

Smaller financial services firms face a disproportionate number of threats. “This makes sense because smaller companies often have fewer resources and less expertise to prevent these attacks and detect them when they’ve happened,” Infosecurity Magazine reported.

Check All Files and URLs

Most ransomware attempts are delivered through a malicious file attachment or URL, which is often carefully disguised as a legitimate business communication, such as a vendor invoice. Remember, even if an email, sending domain or URL appears legitimate, it could still be a risk.

Monitor System and App Vulnerabilities

The most sophisticated ransomware and advanced persistent threats (APTs) may bypass social engineering and phishing methods and exploit vulnerabilities in operating systems or applications. According to Infosecurity Magazine, there has been a trend toward code being planted by attackers on compromised sites. Many hackers are focusing on targeting unpatched, outdated content management systems (CMSs). Code is often hosted externally to evade basic detection methods.

Identify Malicious Ads

While malicious rich-media advertisements are a relatively rare method of ransomware infection, they’re still common. Cybersecurity pros should be conscious of ads and ad network risks on legitimate websites and applications downloaded from official play stores.

Surviving Tax Fraud Season

If there’s any guarantee about threat actors, it’s that most individual hackers and collectives will follow the money. They engineer schemes to fit the shopping patterns of consumers and businesses, as well as other financial trends, which is why fraudulent activity spikes during Black Friday and tax season. Since both consumers and businesses fear the IRS, there’s huge potential for social engineering schemes to trick people into handing over sensitive info, credentials or payments.

Remember, no person or business is immune from fraud or scams. Financial services firms should be particularly wary of the risks between now and April 15. Monitor your device and network health and make sure employees are prepared to identify phishing and whaling tactics.

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today