Tax Season is Open Season for Cybercrime
Welcome to America’s 105th annual tax season, first observed in 1913 with the ratification of the 16th Amendment that made filing U.S. income taxes a permanent, annual event.
Fast forward to the present and every single item you need to file your taxes – from your W-2 form to account balances – are online.
Here’s where online criminals come into play. They know full well that millions of households are already accessing almost every account that matters, from financial services to healthcare providers. It’s a social engineering bonanza, and criminals are getting better and better at it every year.
Online tax fraud hits both individuals and organizations. Criminals do not discriminate. Here’s an example of a successful online crime campaign targeted to organizations and the people that work with them. Then I’ll wrap with some tips on how to file a return safely and securely by next month.
Beware of the Form W-2 Scam
In 2016 a highly successful socially engineered attack vector hit the finance community hard. I call it successful only because by last year’s tax season the number of organizations that reported falling victim to the scam increased nine-fold.
Here’s how it works. Cybercriminals are focusing more intently than ever on spear phishing attacks targeted at executives and payroll teams in businesses large and small, across all private and public sectors.
The criminals research and identify executives and payroll staff within their targeted organization using tools like LinkedIn. Next, they can hack into a legitimate email account and send emails “from” the account holder, making it very easy to pose as the sender.
The criminal will request one or more W-2 forms, followed by a wire transfer request. Employees might not recognize the danger since the email is from someone trusted in their organization.
Why go through such bother to get one document? A W-2 form is a key to the kingdom of fraud. It contains a name, home address, Social Security number, income and withholding data. The criminal who obtains a legitimate W-2 form may simply put it up for sale on the Dark Net and fetch up to about $20 per form. Or they may use a W-2 form to file a fraudulent tax return, and receive sizable refunds directly deposited into their own bank accounts.
So, what can you do to not fall victim to a socially engineered tax season scam? I can think of a half-dozen ways off the top of my head.
Six Ways to Protect Yourself This Tax Season
- Don’t take the bait and get phished. You may very well be as interesting to phish as your company’s payroll team. Learn how to identify several common telltale signs that indicate you are or are not viewing a legitimate email. The Anti-Phishing Working Group (APWG) can help you get smarter in this respect.
- Don’t get vished, either. Vishing means voice phishing, and it happens through a conversation on the phone. Always remember that the IRS does not call you on the phone to discuss your tax matters. They mail everything.
- For the three millionth time, get off that public Wi-Fi network. Order your latte, and enjoy it at home while doing your taxes, connected to your much more secure home Wi-Fi network.
- Use smart and secure passwords to access every single account. While you spend a lot more time than usual in the coming days and weeks accessing your online financial and healthcare accounts, do yourself a favor and install a simple password management tool so that can get you into every single one of your online accounts securely, accessible by one simple personal passphrase only you know. A good tool will encourage you to have a different password for every site and even give you a security score to up your game.
- Read your credit card and bank statements. They are shared with you, in part, so you can track and record every transaction and payment. Let them do their jobs and inform you. While you are at it, confirm that your home address is correct, and pay attention to fraud alerts.
- Shred isn’t dead. Buy yourself an inexpensive shredder, turn it on, and insert every credit card statement, bank statement, and anything else that shouldn’t be found while dumpster diving (which still happens, a lot).
Just think, for more than a century now, millions of Americans have dreaded preparing and filing their taxes. I might not be able to help reduce your dread, but hopefully this post will help you reduce your concerns and better protect your assets.