Tax filers could overlook security risks as they rush to submit their returns
As Tax Day looms near, many individuals are likely scrambling to gather their 2016 tax documents to avoid missing the filing deadline.
This year’s “extension” to April 18 may have contributed to an atmosphere of procrastination: According to an IRS interim results report, early March filings for 2017 were down 8.5 percent from 2016. And earlier this month, IRS Commissioner John Koskinen told Congress that, as of March 31, about 60 million individual returns were still outstanding.
As technology plays a greater role in daily routines, it’s quite possible that individuals have lost the sense of urgency to submit their tax returns early, knowing they can do it online at any time. Since 2001, there has been a significant increase in Americans e-filing their returns; the rate of participation jumped by more than 60 percent between 2001 and 2016. The IRS itself has been encouraging more individuals to utilize online resources, including those for filing, fact-finding and troubleshooting.
As tax season comes to a close, Americans must remember that there could actually be penalties associated with rushing to submit their tax returns. Cybercriminals will be making a strong push down the stretch (though all would do well to remember that tax fraud is ultimately a year-round risk). Attacks come in many forms, such as phishing emails, smishing (SMS/text phishing) scams, vishing (voice phishing) phone calls, and fake letters that claim to be from the IRS, tax filing services and other tax-related agencies.
In these closing hours before April 18, phishing and vishing scams are likely to ramp up, simply because they can be delivered (and capitalized on) very quickly. There is certainly a fair amount of public awareness of these threats—according to Wombat Security’s 2017 State of Phish Report, 65 percent of working-age adults know what phishing attacks are, at least in general terms—but the stresses and emotions that are tied to personal finances can make individuals more vulnerable. Attackers attempt to take advantage of these feelings, using scare tactics, promises of larger/faster returns, and other techniques.
This tax season (and beyond), there are a variety of ways individuals can prevent falling victim to phishing and other tax-related scams. It’s really about asking questions (and taking the time to find the answers):
• Was the communication expected? Any unsolicited tax-related message, call, or letter should be questioned and verified.
• Who is truly behind the email, text, phone call or letter? Logos, caller ID numbers, web links, and email sending addresses can be faked, so these can’t be taken at face value.
• Does the communication request personal information such as financial account numbers, a Social Security number, an account PIN, or other sensitive data? Any time this type of information is asked for, alarm bells should sound and extra steps should be taken to confirm the contact is legitimate.
• Does the communication request sensitive tax information for coworkers, like W-2 data? Tax fraud is not limited to the consumer space. Cybercriminals often target workplaces due to the large amount of personal information available. Any requests of this nature absolutely should be verified through multiple trusted channels.
It’s important that individuals be made aware that the IRS will never initiate contact via email, text, or social media and request personal information. In fact, the IRS has asked that individuals alert them to any suspicious emails; questionable messages should be forwarded to firstname.lastname@example.org and then deleted.
Though calls and letters may be legitimate, they should not be taken at face value. On the phone, individuals should take a name and call-back number and then confirm both are legitimate before returning the call. Mailed requests should also be verified. For detailed instructions about how to report vishing calls and other IRS scams, visit Reporting Phishing and Online Scams on the IRS website. This page provides a number of resources individuals can use to confirm the validity of communications, and they should absolutely make the effort to do so, particularly before remitting payment or turning over sensitive information.
Essentially, it’s about being vigilant. Earlier this month, the IRS advised individuals to carefully review their returns in order to avoid common errors or, rather than rush and potentially put information at risk, to ask for an extension. The advice is much the same with regard to properly dealing with unsolicited tax-related communications: they should be vetted thoroughly, and if they can’t be verified immediately, recipients should take extra time to get the right answers. Even if an email, call or letter ends up being legitimate, it’s best to have that reassurance prior to submitting any information, clicking on a link, downloading an attachment, or having a conversation that reveals personal details.
Though extra effort is something that most people shy away from, it’s more than worth it to prevent becoming a victim of tax fraud. The journey to correcting the situation is very tedious and time consuming, as a member of the Wombat Security executive team personally learned. Tax season may be officially coming to a close, but risks are always looming. Tax fraudsters can reach out at any time, requesting information, claiming a return was incomplete or indicating that money is due immediately to avoid costly penalties. If a communication seems fishy, it just might be phishing.