IBM's X-Force security research team has revealed a startling statistic: There has been a 6,000% increase in tax-related spam email in the past year. The vast majority of those emails use one of five methods to get tax filers to give up their information, which is then sold on the dark web to be used in filing fraudulent returns.
It also reveals who is most at risk: The third of Americans who wait until after April 1st to file. If you're a tax procrastinator you need to protect yourself, and the best way to do that is to be aware of the methods cybercriminals are using to steal data.
Individuals aren't the only ones at risk: Many phishing attempts target businesses as well. When one of those attempts is successful W-2s are often leaked en masse, putting all a company's employees at risk.
How cybercriminals steal tax data
There are five methods IBM identified as the most prominent. Some simply involve getting an individual to turn over sensitive data, while others rely on opening documents that quietly run scripts and install malware.
1. W-2 and wire fraud targeting businesses
This newer method involves attacking a company directly. Criminals send emails to HR and payroll departments posing as executives asking for W-2 data. Once they get it they use the data to make fraudulent wire transfers less suspicious since they can use legitimate W-2 data to verify employee info.
See: Identity scams are up this tax season: How to protect yourself (TechRepublic)
2. False refund claims
IBM says that the most common method of defrauding consumers is through false claims of a high-dollar refund. An email arrives saying that a refund has been processed and that the recipient needs to open an attached document, which generally contains a malicious macro that installs malware.
3. Non-resident tax form fraud
Non-residents with taxable US income are targeted as well. Fraudulent emails targeting W-8BEN form filers have been found requesting recipients to send copies of passports, IRS PIN numbers, and other personally identifiable information.
4. Tax law changes
If you've received an email saying a change in tax law could benefit you don't open any attachments it contains. Much like example number two, these phishing messages come with documents that execute malicious macros. If given the chance to run these macros can install pretty much anything, giving a hacker total access to your computer.
5. Fake emails from tax preparation platforms
Plenty of people are inundated with emails from TurboTax, TaxAct, H&R Block, and others. Hidden among the innocuous spam may be fraudulent mail containing links to phishing sites. Once a user clicks the link and logs in hackers have credentials they can use to file false returns.
How to protect yourself, and your employees, from fraud this tax season
While plenty of tax fraud phishing targets individuals, IBM's research suggests that most tax records for sale on the dark web, where most falsely filed returns come from, originate from businesses.
See: Search the world's largest cybercrime library (TechRepublic)
We can all hope that HR and payroll teams are sharp enough to recognize phishing attempts, but it's never a bad idea to bolster defenses with training and reminders of potential risks. IBM recommends six steps for protecting both employee databases and your own individual data during tax season:
1. Set up an IRS PIN
The more security factors between your personal data and a cybercriminal the better. Check your own eligibility for a PIN and make sure your employees do the same.
2. File ASAP
Cybercriminals want to get tax info before you do so that they have time to file a false return. The sooner you file the less likely your information will be used by someone else.
3. Don't open attachments or click on links
Any attachment on a tax-related email should be ignored, and links shouldn't be clicked. When in doubt open a web browser and navigate to a website yourself, or contact the sender through another means of communication to make sure an attachment came from someone you trust.
4. The IRS won't initiate contact
In the IRS' own words, "[We don't] initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information." In short, if you get an email from the IRS asking for you to send back ANYTHING it's fake.
5. Report everything
If you get an email or visit a website you suspect of being fraudulent you should contact the actual sender right away. Forward phishing emails to the IRS at firstname.lastname@example.org as well—they need to know what hackers are up to.
6. Know what accountants will and won't request
If you use an accountant or a tax prep service the same rules apply. If they contact you with a request for any personally identifying information then it's likely a phishing attempt. That or your accountant is trying to steal your identity.
The three big takeaways for TechRepublic readers:
- There has been a 6,000% increase in tax phishing scams in the past year.
- While many scams target individuals the majority of personal records available for sale on the dark web is believed to come from hacked business databases.
- Be aware of phishing methods and know how to protect yourself. The key takeaway: No one will ever ask for personally identifying information in an email, a text, or via social media.
- 2017 cybercrime trends: Expect a fresh wave of ransomware and IoT hacks (TechRepublic)
- Watch out for these tax-themed phishing and malware scams (ZDNET)
- Gallery: The 18 most frightening data breaches (TechRepublic)
- Seagate sued by angry staff following phishing data breach (ZDNET)
- A new twist on a W2 tax scam (CBS News)
Brandon Vigliarolo has nothing to disclose. He does not hold investments in the technology companies he covers.
Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.