Tax scammers are prepped for the busy tax season and waiting patiently for consumers to take their bait as the number of cases of malware and phishing incidents rise during this period.
A larger percentage of malware and phishing occurs through text messages and emails during the next couple of months, luring unsuspecting taxpayers into releasing their personal information to what they believe to be the actual IRS, but are fraudulent websites.
The fraudsters are no longer targeting just consumers, but also tax preparers, human resources and payroll professionals and even schools, the IRS said.
Impersonating an employee from a tax software provider, government agency, bank or credit card company helps the scammers as victims believe they are trustworthy. After, they hack into the organization's email system or create a fake website that mimics a legitimate website but includes fake log-in areas.
When victims fall prey, they inevitably provide passwords, Social Security numbers or other financial information to the fraudsters.
"These email schemes continue to evolve and can fool even the most cautious person," said IRS Commissioner John Koskinen in a statement. "Email messages can look like they come from the IRS. Don't be fooled by unexpected emails about big refunds, tax bills or requesting personal information. That's not how the IRS communicates with taxpayers."
One scam has an email subject line entitled "Access Locked" and states that taxpayers are not able to access their tax prep software accounts because they were "suspended due to errors in your security details." The scam email suggests that the tax professional cope with the issue by using an "unlock" link provided in the email.
Instead of the link going to a legitimate website, a page appears and asks for a user name and password. Tax professionals wind up providing information about their clients to cyber criminals, allowing them to steal additional personal information.
The phishing scams aimed at the IRS and tax fraud reveal that cyber criminals have been "well prepared and organized for this year's coming tax season," said Joseph Carson, chief security scientist at Thycotic, a Washington D.C.-based provider of privileged account management (PAM) solutions. "It has started earlier than we have seen in previous years and is using multiple techniques to scam tax payers from their money and tax refunds."
In 2016, a record number of data breaches occurred with over 3 billion records which were stolen in 2016, which results in 8.2 million records stolen each day or 2 out of every 3 people using the Internet, he said.
The data being targeted and sold by cyber criminals are "going into good uses" such as well-planned phishing scams that utilize identity theft, CEO fraud and W-2 phishing, Carson said. These targeted attacks have very specific information such as names, email addresses, home addresses, telephone numbers and Social Security numbers of the victims. The personalization of these phishing emails makes it harder to detect the scams.
"It is always important to be vigilant during major events, such as the Super Bowl, the NCAA tournament and tax season," he said. "Before doing anything, check and validate that it is coming from a trusted source and always question the authenticity."
Sticking to the mantra of "don't share personal information ever" helps companies avoid falling for these breaches.
"If the IRS needs information from you, they will contact you directly, not via email," said Mike Kail, chief innovation officer at Cybric, a Boston-based security platform provider. "This is a very challenging security issue to overcome," he said. "Essentially, you are as secure as your least sophisticated user, and that sophistication 'rating' is elastic, depending upon other distractions at the 'moment of phishing' and being on a mobile device makes it even more challenging."
The IRS scams also include malware, which gives the hacker access to the desktop or smartphone and allowing them to access files and track keyboard strokes.
Fraudsters who are prosecuted for these crimes face criminal charges along with penalties and interest. The IRS collaborates with the Department of Justice to halt these scams and pursue criminal prosecution. To combat these crimes, the IRS works with state revenue departments and tax professionals to inform taxpayers about the potential for fraud.
The IRS typically refrains from contacting consumers through email, social media or text messages for financial information.