This tax season it’s the same old story when it comes to fraud; but the 2020 reboot is going to require tax professionals and taxpayers to level-up when it comes to staying cyber safe. The targets remain the same (employers, payroll companies, tax preparers and taxpayers) as does the approach: Social engineering. But the bad guys got in great shape during the off-season and have a stealthier playbook in 2020.
The threats persist because we still use easily decipherable passwords shared across our universe of “secure” accounts (often mixing personal and work-related logins), we don’t use 2 Factor Authentication whenever it’s available, we click on links or open attachments sent by people or organizations we think we know, and we don’t lie when responding to security questions easily answered by our poorly protected social media accounts.
Their goal is to acquire as much personal and financial information as possible (so they can effectively impersonate us to representatives of institutions where we do business) or trick us into giving up the credentials necessary to access payroll accounts, tax preparation organizations, or the HR Department of employers that hold tax-related information or tax preparation software programs that enable taxpayers and tax preparers to file their returns.
The social engineering is accomplished through the four ishings of the cyberapocalypse:
Generic phishing: Dear Taxpayer, tax professional, cardholder, policyholder, member, employee, etc, a horrible/miraculous thing has happened: click here Mr/Mrs/Ms Fomo.
Spearphishing (direct phishing): Dear Chris: You really messed up this time. See attached.
Vishing (Phone-based): Mr/Mrs/Ms, I am with the security department of your bank, the IRS, the Social Security Administration, the Jury Commission, Board of Elections. It is crucial that we confirm your information on file.
SMishing (Text): Your account has been frozen due to suspicious activity, please click on this link and enter your USER ID in order to resolve this issue.
When malware-laden links are clicked, the clone sites for the most part these days are close to perfect with authentic looking graphics, excellent grammar, no misspellings. Often the only way to tell something is amiss is by looking at the URL—but even that can be misleading. Criminals are now adept at securing domain names that seem legit and include security certificates, (i.e., HTTPS and a padlock).
A new trend: Intensified ransomware attacks on tax preparers. Time-sensitive files are frozen and only thawed when bitcoin is paid to the hackers. That is, if they are lucky. We have seen in the wider cyber eco system instances where a ransom is paid, the files are released, but the data has also been stolen by the hackers who use the information to file false returns.
To better protect against social engineering attacks, taxpayers should:
Use 2-Factor Authentication whenever available
Never click a link or open an attachment without independent confirmation of the sender.
Never authenticate yourself to anyone who contacts you. Only provide sensitive information when you’re in control of the interaction (navigate to a site yourself, and call an organization, don’t trust caller-ID) and know exactly to whom you are speaking or communicating.
Tax preparers should be vetted:
Beware of guarantees. No organization can realistically claim to always deliver the biggest or fastest refund. So, don’t click on banner ads when someone does.
Avoid remorse, check the source. How did you find out about the particular preparer? Are they part of a larger organization? Are they a tax-season pop-up? Do they come recommended? What are their qualifications (CPA, PA, some guy who does it for his friends)? Are they a member of an organization that requires members to be ethical? Did you find them in an ad, get an email, etc?
Know the deal, or get peeled. Is the fee set, or are you paying by the hour? Never agree to a percentage of the refund. Will your preparer be there for you after the return is filed? Is this part of the contract or not?
Know the facts, or feel the tax axe:
When you were presented with your return what did it look like? Did the preparer sign it? Are there any blanks which might make an audit more likely? Do the numbers look right?
And let’s not forget the “oldies but goodies.”
Fake IRS representatives calling taxpayers and threatening them with arrest for having failed to pay in a timely fashion, demanding payment in gift or pre-paid cards (it really happens and people fall for it all the time) or via wire.
Fake Social Security Administration agents calling to inform you that they have to freeze accounts or suspend benefits due to criminal activity, something that can be avoided if you give them your sensitive personal information via phone or email and (bonus: they ask your payment information).