Tax Fraud Season Extends Beyond Tax Day

IBM X-Force researchers saw a 6,000% increase in tax-related spam emails leading up to Tax Day 2017. That’s significant because tax fraud season does not end on April 18.

The IBM researchers see this increase and other factors as evidence that cybercriminals are not slowing down their attacks. Exacerbating the threat is the fact that last year, 54 million Americans (one-third) filed taxes after April 1.

This year’s extended deadline gives cybercriminals even more leeway to execute their tax fraud schemes. IBM X-Force stressed that it’s especially crucial for consumers to stay vigilant in protecting their online identities over the next month.

IBM Security’s report takes a closer look at the techniques and motivations of cybercriminals targeting U.S. taxpayers. The new report, “Cybercrime Riding Tax Season Tides: Trending Spam and Dark Web Findings” outlines some of the top techniques used by cybercriminals including: 

• Seasonal phishing: Criminals use the topical time of tax season to entice consumers to open emails and files, which have malware embedded. Then they steal consumers’ passwords and other financial information. The emails might look like they are coming from the IRS but they are not – the crooks are posing as the IRS.

• Who’s the boss?: Crooks send a business’ accounting staff an email that appears to have come from an executive asking for an employee’s W-2 information. The emails look legitimate so unsuspecting employees open them, answer the questions and send sensitive information to the hackers.

• Turbo scammed: Dozens of tax software companies are competing for consumers’ business this time of year and send legitimate marketing emails to entice people to file with them. Cybercriminals recreated the look and feel of those emails and are redirecting unsuspecting consumers to fraudulent websites, where they steal login details and ultimately enough info to file a return.

IBM X-Force also mined the Dark Web and identified criminals selling W-2s for around $50 per document, thus enabling the filing of false returns (and collection of associated refunds). Therefore, the longer a tax payer waits to file a tax return, the more susceptible they are to a potential scam. In 2016, the IRS reportedly paid out approximately $5.8 billion in fraudulent refunds.

“Today’s online fraudsters are savvy, scrappy, well-connected and extremely motivated to go where the money is,” Limor Kessem, executive security advisor for IBM Security, said. “It’s inevitable for our researchers to observe spam campaign surges timed with topical events. Consumers and businesses should be hypervigilant during these key periods, and implement security best practices year-round to successfully sidestep many of the tactics and traps regularly used by malicious hackers.”

IBM X-Force offered the following tips to fight tax fraud:

1. Don’t delay, file right away: File your taxes as soon as you receive your W-2 from your employer. The longer people wait, the more opportunity fraudsters have to steal a return.
2. Sign up for a pin from the IRS: The IRS IP PIN is a six-digit number assigned to eligible taxpayers to help prevent the misuse of their Social Security number on fraudulent tax returns.
3. Take advantage of free credit monitoring: Most breached organizations now offer free credit monitoring services, and consumers should plan to take advantage for the maximum time allotted.
4. Be vigilant: The IRS would never initiate contact with taxpayers by email, phone, text or social media to request personal or financial information.
5. Be aware of spoofing emails: Scammers often send spoof emails from a target organization’s CEO, requesting all employee W-2 information from human resources and accounting departments. Don’t fall for it, authenticate the request.
6. Avoid clicking on email links from tax vendors: For those intent on self-filing online, access the vendor’s website directly to ensure you’re accessing the trusted site.
7. Avoid password reuse: Especially when filing taxes online, make sure to avoid reusing a password used for other websites.

Report it: If you suspect a phishing email, or a fake website purporting to be a tax authority’s site, report it by sending it to phishing@irs.gov.