Despite tales of highly sophisticated, fluid-fingered cyber ninjas working tirelessly to penetrate heretofore impenetrable, firewalled, super secure databases, many identity thieves actually have a pretty easy job getting what they need to make a killing. The number of people out there with tight personal cyber security is fairly limited — those who only go online via virtual private networks (VPNs) and communicate solely via encrypted email and messaging apps. They aren’t so easy for the average scam artist to “get.”
Then there’s the rest of the online community. For most folks, “personal cyber hygiene” is an exotic idea. This makes a majority of the population very vulnerable. So, a fraudster doesn’t have to be particularly smart or skillful to hack them. It’s all very frightening, but when it comes to identity-related tax fraud, it’s not as tough as you might think (or hope). The reason is much more frightening: There is no need to be a savvy hacker to get all the information to commit identity-related tax fraud. You just need to be creative and persistent.
It Sounds Easy for a Reason
While many cry foul and point to an incompetent government or bad business practices as the vector for the proliferation of identity-related crime, the problem has become pandemic and systemic and its origin no longer really matters. Around the protection and storage of our personally identifiable information (PII), consider for a moment that we all share a fair amount of blame in the growing tax fraud epidemic—whether through lax individual PII management, an unquenchable thirst to share every tidbit of our lives on social networking sites, or a poor understanding of basic online security practices.
That’s not to say the government isn’t a significant player in this evolving Shakespearian drama. A recent news story demonstrates, yet again, that real life is often much stranger —and exponentially more infuriating — than fiction. The IRS was forced to suspend an online tool to retrieve forgotten Identity Protection PINs. If you don’t know what that sort of PIN is exactly, you can probably guess: It’s the six-digit key system that the IRS created to ensure that you are actually you when you file your taxes.
Yes, you got that right. The system devised by the IRS to make filing safer after you have become a victim of identity theft was compromised. Fraudsters figured out a way to commit fraud using the fraud protection system created by arguably the most defrauded agency in the U.S.
The government is not to blame entirely. Neither is the average, non-VPN using webizen. No one is to blame, and yet everyone is.
Reality check: There’s just a long and ever-growing line of future victims, because so many people have had their PII compromised through data breaches and a chorus line of “ishings” (phishing, spear-phishing, vishing and SMishing), as well as other information SNAFUs. There just aren’t enough bad guys floating around to commit all the potential crimes that cornucopia of information makes possible.
So, besides withdrawing all cash from every account you own and handing it out to complete strangers in the middle of Times Square (whilst navigating a mob of cartoon characters who want you to take your picture with them for $20), what can you do?
There Is Plenty You Can Do
- File Early. The sooner you can get your tax return filed, the sooner you will get your refund as opposed to the other guy. I’m not talking about a few weeks earlier. One of the most prevalent forms of identity-related tax fraud relies solely on beating you to the gate. If a scam artist files a return using your information before you do, you can expect to wait about six months for your tax refund.
- Go Deep on Background. If you hire someone to prepare your taxes, make sure they have good references. This goes way beyond scoping out reviews on a website. Do a deep-dive online search of the person you’re thinking about using. Ask your future tax preparer for references, and call them.
- Be Quick. If you get correspondence from the IRS, it will come by mail. Everyone knows the sinking feeling they get when that envelope arrives, but don’t delay. Read all the mail sent to you by the IRS and respond as quickly as possible.
- Be Stingy. Don’t give your Social Security number to just anyone. When in doubt, say “No.” You will be amazed how many places that you think require those nine digits will back down if you speak up for yourself. Ask why they need it (if for billing, offer a credit card), and how they store sensitive information.
- Be Paranoid. Why? Because there is a horde of fraudsters and scam artists out there who really are out to get you. There is no such thing as being too careful these days. With more than a billion records compromised in data breaches, you have to assume that your information is both available and will be used against you.
- Don’t Use Public or Unsecured Wi-Fi. Unfortunately, this is not a given (though it should be). If you file your taxes electronically, make sure you do so on a secure network. The password protecting that network cannot be easy—no “password” or “qwedsa” or “abc123456.” If you are not sure about your network, invest some time to learn how to make it safe for sensitive traffic.
- Enable Two-Factor Authentication. Any time you are working with your financial records using tax preparation software, make sure you enable two-factor authentication so that you are better protected. And never save the documents on your computer. Load them onto an encrypted thumb drive.
- Shred. Old school is the best school when it comes to the most effective means to dispose of documents that include sensitive PII: cross-cut shred them using a quality machine.
- Don’t Take Calls. The IRS does not yet make phone calls to collect taxes due or to discuss problems with your tax return or a pending refund. If you get a call from the IRS, hang up. It’s a fraudster.
- Don’t Take the Bait. Phishing is a continuing problem because fraudsters are forever improving their email angling skills with ever more enticing and professional looking clickable links. There is one very easy way to avoid “getting got” when it comes to phishing: Remember that the IRS does not send email. Relegate all tax-related email from “The IRS” or “The Treasury Department” to your trash folder and then permanently delete it (in the event it is loaded with malware).
- Report Your Vulnerability. If your Social Security number has been compromised, the IRS ID Theft Protection Specialized Unit wants to know about it. You can reach them at 800-908-4490.
- Be Accountable. With free tools increasingly available, you can easily obtain a snapshot of your credit situation, and even keep tabs on your credit score, which will change if your Social Security number has been compromised by a fraudster who’s using it to open new accounts. You can get two of your scores for free each month on Credit.com to keep an eye on your scores. And keep in mind, if you become a victim of tax fraud or refund diversion that means a thief has enough of your PII to commit every, and all, type(s) of identity theft.
The days of identity-related tax fraud are no passing trend or transient ripple in national crime statistics. It’s an entrenched problem that will not be solved in the near future. As ever, you are the best, and ultimate, guardian of your personal finances. Act accordingly.
Adam Levin is chairman and founder of CyberScout and Credit.com, where this post originally appeared.