There is so much more to fear from tax season than just pushy IRS agents and mishandled government forms. Each year as filings pick up so do tax scams, and millions of Americans fall for the con. The losses are staggering, with just one one recent operation alone raking in over $15 million in stolen money. They push the lie over the phone sometimes, but that's not the real danger.
The real danger according to cybersecurity expert Kevin Kennedy, a vice president with email security company Agari, is over email. Identity and refund thefts have gone through the roof thanks to tax scams pulled off with nothing more than an email account and a couple of fake websites. None of it is particularly sophisticated stuff. It all tends to rely on good old-fashioned social engineering, and knowing how to write a convincing cover letter.
“In general,” Kennedy said, “you see that the criminals or the attackers go after the places where they see the most vulnerability and the best business model. That is often email today. They’re using it with the IRS types of scams… [and] effectively exploiting a combination of trust and fear.”
We tend to trust official messages from banks, government agencies or utilities, simply because we process so many every day. We tend to fear a call from the tax man for, well, fairly obvious reasons. When an e-mail drops in claiming to be an official message from someone who can get a warrant, we’re highly motivated to trust and dispose of that message, and unfortunately, the email system has no way to filter or safeguard against this type of fraud. Nothing automatically built into an email account can verify the sender or any of the links, and certainly poor Gmail has no way of knowing whether the letter rings true. (If Google could write that code, its true calling might lie in dating advice instead of search engines. On the other hand, if anyone can do it...)
That’s why email has become so popular for scams. It’s one of the most vulnerable systems online.
The thing is, despite the fear that many people have of doing business over the Internet, secured connections are generally precisely that: secure. Although an intruder can, with time and effort, intercept a banking transaction or an e-filing, doing business online is generally safe. The required investment means that the average user won’t likely become a target.
Phishing emails are, on the other hand, require almost no effort. They are one of the top threats on the IRS’ annual “dirty dozen” tax scams, because they are just so easy to run, being little more than carefully worded spam put together to look like a legitimate email. Scammers will typically include images or logos to make the message look more official, and almost always spoof the return address so that it says the message originally came from irs.gov.
The result is a formal-seeming message requesting that the recipient click a link to confirm e-filing information or respond to an overdue notice. The site, a dummy set up to look like the real thing, requests and harvests personal information such as Social Security numbers, taxpayer PINs and previous refunds.
As easily as that, with little or no actual interaction from the scammers, the phishing emails have collected enough information to steal a taxpayer’s identity. It is, Kennedy explained, a low-cost, low-risk way to launch crippling financial crimes.
Although the whole system depends on spoofing the original sender so that it looks like the message came from irs.gov, it turns out that's incredibly easy to fake.
“You can think of it as kind of the original sin of e-mail,” Kennedy said. “It’s relatively trivial, because email, when it was initially defined, the concept of validating who [a message] was sent from, it wasn’t built in.”
In fact, this is one of the reasons why e-mail is evolving to be the biggest single threat to taxpayers right now. It was designed for campuses and scientists. No one ever intended this system to become the backbone that it has today, and despite advances to mailboxes and mail servers the architecture of this system remains largely unchanged from when college students used to play Star Trek games in the 1980’s.
Email was never designed with security in mind, and now it’s gotten too big to rebuild the system from the ground up.
The goal of a typical phishing message is to collect personal information, Kennedy said. This differentiates it from the telephone scams also popular at this time of year which try to extract money directly from frightened taxpayers. Phishers want to steal identities and refunds, often from people who may not have even heard of the practice of stealing tax refunds.
Turns out, it’s big business.
As H&R Block’s peculiar old man, William C. Cobb, never tires of reminding us, Americans get back billions of dollars in tax refunds every year. The IRS gave back more than $274.7 billion in 2014 alone, with an average refund of $2,689 per household. This is an odd form of Christmas-come-early in that it amounts to merely getting back the interest free loan we all float to the government with each paycheck, but it’s still a nice bit of extra cash in hand every April.
It’s also a very tempting target. Phishers who get ahold of your filing information through phony websites can file your taxes on their own behalf. For anyone concerned about the criminals’ accounting standards, don’t be. They generally have none. As long as the return clears and doesn’t raise any immediate red flags they’ll have wired the money onto a pre-paid card long before any problems come up.
And by then, as far as they’re concerned, that audit is a you problem. In fact, this is how many Americans discover their problem, when they go to file their taxes and discover that someone else already beat them to it.
“This doesn’t just cost you as a consumer,” Kennedy said, “but you as a citizen are also in a really bad position because you don’t even know how much income has been claimed.”
To give a sense of overall scale, he added, just take a look at the Dirty Dozen. As part of 2014’s list the agency announced that it managed to intercept 19 million fraudulent tax returns and prevent $63 billion in fraudulent refunds between 2011 and 2014.
Those are staggering numbers. They get even bigger when you consider that those are just the problems that the agency caught.
“That gives you a scale of what it’s costing us as the taxpayers, as well as for the individual,” Kennedy said.
There are plenty of scams out there, especially at tax time. The email scam may well be the biggest though. At the stroke of a key, scammers can launch a million e-mails, and if even a handful find their target, it’s been a good day’s work.
As far as protecting ourselves, education is the best first step. Although agencies like the IRS can and should look to upgrading their systems to better prevent scams like this, taxpayers should also know that the IRS never makes initial contact or requests information via e-mail. They can ignoring all messages like this because none will ever be legitimate. If anything raises a question, call the agency and try to ask a question (although that has admittedly become an increasing challenge).
And as always, simply be careful about any unsolicited messages asking for information.
“Right now the front door is wide open," Kennedy said. "You look at these types of phishing schemes, and they’re actually using the government’s domain. The low hanging fruit for the criminals is absolutely to use that.”
--Written for MainStreet by Eric Reed, a freelance journalist who writes frequently on the subjects of career and travel. You can read more of his work at his website A Wandering Lawyer.