The National Cybersecurity Alliance (NCA) and the Internal Revenue Service (IRS) are warning businesses to watch out for tax time scams.
“With tax filing in full swing, cyber crooks are doing everything they can to take full advantage of the opportunity,” said Kelvin Coleman, the NCA’s now-former executive director, in 2019. “Tax time is a haven for hackers, who are masters of manipulation. With the tremendous inventory of personal and financial shared online, it’s essential to remember that Personal Information Is Like Money. Value It. Protect It. Following good cybersecurity practices during tax season and throughout the year allows everyone to reap the benefits of connectivity with increased confidence.”
What are common tax season scams?
- W-2 Scams: Thieves can pretend to be company executives and trick payroll into revealing confidential data. The thieves will demand copies of employee W-2s containing addresses, social security numbers, income, and withholdings. Workers anxious to follow the request of a superior may unwittingly send the records to the thieves.
- Phishing Emails: Scammers can create official-looking emails that look like they are from the IRS. For instance, cybercriminals can deliver an email urging their target to fill in their personal information in their PDF form and send it directly to them. Or the emails can instruct people to confirm their personal information by clicking on a hyperlink to an impostor portal and entering their login data.
- Fake IRS Phone Calls: Fraudsters can call pretending to be IRS agents and claim that you owe money. Next, they will threaten to arrest you if they do not get their payment immediately. Or, they might say you are getting a refund and ask you to verify personal information, such as your social security number. Keep in mind that the IRS will initiate nearly all communications using the U.S. Postal Service. Also, they will not request payments to sources other than the U.S. Treasury.
- Tax Return Fraud: Thieves may use stolen names, addresses, and social security numbers to file a tax return before you can. Afterward, once victims try to turn in their tax returns to the IRS, the agency will reject the entry. Additionally, someone might use your social security number to get employment, and then you would receive a bill for unpaid taxes.
How can you prevent tax time scams?
“Taking simple, actionable steps can go a long way in helping to protect your company’s data along with the personal information of your employees and customers during a period of high online traffic,” states the National Cybersecurity Alliance. Please follow these tips:
- Do not wait until the April 18th deadline to file tax returns. Make sure to file once the required documents become available. If you get tax records from a mysterious employer or discover your someone submitted your tax return without your knowledge, call the IRS Identity Protection Specialized Unit at 1-800-908-4490.
- Avoid ghost tax return preparers. They do not sign the tax returns they prepare. According to the IRS, “Not signing a return is a red flag that the paid preparer may be looking to make a quick profit by promising a big refund or charging fees based on the size of the refund.” They may change your income figures and deductions so that you qualify for an unusually large return. Make sure to research your tax preparer before handing over your personal information.
- If sending documents electronically, do it securely as possible. For example, you can encrypt files before emailing them to your tax preparer. Or, you can upload your documents to a secure portal and share access only with the tax preparer.
- Mail paper returns directly from the post office. Give the paperwork directly to the mail clerk and deliver it by certified mail. Do not drop it off in an unlocked outgoing mailbox bin. Thieves can open the envelope, record your information, and put the paperwork back into the bin.
- Be careful of communications that urge you to act immediately. For example, if you get a surprise phone call supposedly from the IRS and they demand immediate payment for a debt you did not know about, hang up. The IRS will usually let you know if you owe money via postal mail and not through email. Contact the IRS using their website’s contact details. You may also report impersonation phone calls to treasury.gov/tigta.
- Watch out for unsolicited emails, text messages, social media posts, or fake websites that instruct you to click on a link or to share personal and financial information. Cyber scammers can use the data to steal funds and commit identity theft. Also, if you click on one of their links, it may download malware that can spy on your activities or lock you out of your data.
- Report phishing scams to the IRS. You can report IRS, Treasury, or tax-related phishing scams to firstname.lastname@example.org.
- Keep your software updated on your devices, including security software, web browsers, and operating systems. Unpatched software programs leave security vulnerabilities hackers can easily exploit.
- Scan devices with security software every week, especially when they are being used to file tax returns. Frequent scans with Trend Micro or Malwarebytes software can prevent hackers from accessing your device and installing spyware.
- Whenever staff members work remotely, they should stick to using a private password-protected Wi-Fi signal when working with sensitive data. Do not ever use public Wi-Fi for this function since a nearby hacker can spy on your activities.
- Choose strong passwords with a random combination of numbers, letters, and symbols. Also, use unique passwords for each account and store them in a password management program.
- Use multi-factor authentication with online accounts when possible, especially for email, banking, and social media.
- Use safe document storage methods. Physical paperwork should be locked in steel cabinets. For digital records, use encrypted enterprise cloud storage, such as Anchor from Axcient and Citrix ShareFile.
- Back up your documents. The NCA recommends keeping at least three copies of your data. Store two backup copies on different storage media and the third offsite.
- Wipe data from computers and mobile devices before discarding them. Plus, shred sensitive documents before throwing them out.
- Perform regular company cybersecurity training to ensure employees can recognize any unauthorized attempts for personal information.
- Set up a security breach response plan. The Federal Trade Commission has a response guide you can refer to here: https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-breach-response-guide-for-business.pdf
If have questions or concerns about your data security, you can give us a call at 877-794-3811 or email email@example.com. We can offer added protection in our subscription-based cloud service called Security as a Service. It includes email security, web security, enterprise anti-virus/anti-malware protection, ransomware protection, intrusion prevention, and security monitoring.
Note: This blog was originally published in April 2019 and has been updated for accuracy and comprehensiveness.