With the 2020 tax season underway, cybersecurity analysts are seeing an increase in the number of impersonation attacks focused on stealing personal information through voice phishing, texts, and email.
According to the Daily Mirror and other news sites, taxpayers are at their most vulnerable during income tax self-assessments due to uncertainties over filing processes. Other reports have shown cybercriminals take on the guise of credible organizations to persuade citizens to hand over private credentials. They exploit access to bank accounts and sell the data they’ve secured for additional profit. Wired Magazine’s Louise Matsakis, cybersecurity staff writer, has commented, “…online scammers do more than masquerade as the IRS. Some have created fake versions of online accounting tools like QuickBooks, while others pretend to be tech support agents… to dupe people trying to file their taxes.” 135 million people filed electronically last year according to the IRS, many on their phones.
“These attacks…work,” commented Carl Wearn, Mimecast’s Head of E-crime and Cyber Investigation. Unfortunately, there’s no appreciable way to halt these types of impersonation attacks on a large scale. The best defense depends on individual cyber awareness and an understanding of red flags that suggest foul play.
Phones Are a Common Threat Vector for Impersonation Attacks
Identifying common threat vectors as a taxpayer is a crucial safeguard in protecting information and financial assets, especially going into the 2020 tax season. By banking on an individual’s uncertainty, impersonation attacks generally follow several vectors. They contact targets by vishing and encourage them to call back with private information; they also reach out via text or email, posing as the IRS. These may come as reminders to file or tax preparation offers, and some have begun mailing official-looking, fraudulent letters.
Scammers use these avenues to offer fake tax rebates using malicious links. Impersonators often leave accusatory voicemails or emails to manipulate victims and cause fear and alarm. In one example, Business Insider’s senior personal finance reporter Tanza Loudenback writes, “A phone number from Washington, DC, called me and left a voicemail….It was an automated message that said:
‘Time sensitive and urgent … we found that there was a fraud and misconduct on your tax which you are hiding from federal government. This needs to be rectified immediately, so please return the call as soon as you receive the message.’”
The IRS has stated they will not reach out to discuss financial matters through email, text, or social media, and calls are generally reserved for follow-up to an official letter. Voicemails like this are a prime example of fraud, playing on the fears of the listener to invoke an impulsive response. Though it may not have worked in the case of Loudenback, thousands of taxpayers fall into these traps every year. Cybercriminals play on taxpayer uncertainty with malicious disinformation, coercing victims into providing banking details, social security numbers, and other personal information.
Recognize Signs of an Impersonation Attack
Impersonation attacks are more common than ever, and a source of risk for taxpayers who lack the necessary cyber awareness to successfully deflect these advances. In 2018, the U.S Internal Revenue Service released a report highlighting a 60% increase in bogus email schemes to steal money or tax data, and tactics are continuously growing in sophistication and scale. Carl Wearn’s research indicates impersonation is the most frequent type of attack and is increasing in use. It’s become a necessity for taxpayers to discern the difference between credible revenue service communications and fraud.
Taxpayers must educate themselves on how to identify signs of foul play. There’s no viable way to lessen the number of attacks happening – the only method to best minimize risk is to recognize there is a threat before it’s too late. The IRS offers useful information on their own protocols.
Scammers have become proficient at playing on the uncertainties of victims, but these ploys are easily detectable when taxpayers are aware of IRS processes. When if doubt, contact the IRS directly with questions and concerns.
Fight Tax Fraud: Cyber Awareness Best Practices
Much like walking to a car alone at night, it pays to be vigilant and aware of any surrounding environment. This is also true of the cyber landscape. Impersonation attackers will seek to exploit taxpayer confusion to persuade and coerce victims into divulging sensitive information. Familiarity with the cyber awareness best practices below will help victims mitigate risk and defend their assets:
• Filing taxes early can prevent scammers from filing them in a taxpayer’s stead
• Use password-protected WiFi and login practices when filing electronically.
• Check URLs for the “s” at the end of “https”, which stands for secure encryption. Any site page without one may be vulnerable to data collection.
• Only use credible tax filing services, whether it be an online application or an accountant. Be wary of “ghost tax return preparers.”
• Respond to official IRS communications as soon as possible.
January 2020 will mean tax form processing for everyone, and for many, these steps can seem ambiguous and confusing. But practicing cyber awareness by avoiding voicemails, text messages, and emails that seem suspicious can protect individuals from detrimental financial and data loss.
Article by Sarah Rollman