The IRS has seen a 400% uptick in phishing and malware incidents thus far in the 2016 tax season. "The emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies," mentions the IRS Tax Scams/Consumer Alerts website. "The phishing schemes can ask taxpayers about a wide range of topics."
The site goes on to say that the phishing emails or text messages are seeking information related to refunds, filing status, confirming personal information, ordering transcripts, and verifying PIN information.
When the live link in the email or text is clicked, potential victims are often sent to a malicious website closely imitating sites such as IRS.gov. "The sites ask for Social Security Numbers (SSNs) and other personal information, which could be used to help file false tax returns," explains the IRS website. "The sites also may carry malware, which can infect people's computers and allow criminals to access files or track keystrokes to gain information."
The IRS site iterates, "The IRS does not initiate taxpayer communications through email. Unsolicited email claiming to be from the IRS, or from an IRS-related component such as EFTPS (Electronic Federal Tax Payment System), should be reported to the IRS at firstname.lastname@example.org."
Proactive steps to protect yourself from ID theft
The IRS gets a lot of credit for staying on top of the myriad of tax-based identity scams currently in the wild. For those looking to be more proactive, Malwarebytes' Wendy Zamora in What you need to know about tax identity theft writes, "As is the case with all cybersecurity, the best way to protect yourself from threats of the stolen identity variety is to make yourself aware. By knowing the basic who, what, when, where, why, and how, you'll be far less likely to fall victim to identity theft."
Zamora starts by defining identity theft as when criminals steal victims' personal information, such as their Social Security Number, to commit fraud. "One example of tax identity theft occurs when criminals use a victim's personal information to file for a tax refund with the IRS," adds Zamora. "Victims usually learn of the crime after having their returns rejected because their impostors beat them to it."
Besides filing as soon as possible, Zamora offers the following tips.
Monitor credit reports: Individuals are entitled to a free copy of their credit report from Equifax, Experian, and TransUnion. Zamora suggests, "Review the report annually, looking for any suspicious activity."
Online tax services: Research the online tax service to ensure sufficient security is in place, including:
- password standards
- lock-out features that block users after too many unsuccessful login attempts
- security questions
- email and text verification
Protect passwords: Besides normal password hygiene, such as never using the same password on multiple accounts, Zamora disavows storing passwords on the computer, saying, "If you need to do it digitally, use an external hard drive or USB and disconnect it from the computer when you are finished."
SSNs are the keys to the kingdom: Do not carry SSN cards; do not write SSNs down on checks; and only give out SSNs if necessary, suggests Zamora. "When filling in forms for organizations, hospitals, clinics, and other companies, leave the area asking for your SSN blank," adds Jovi Umawing, malware intelligence analyst at Malwarebytes. "Some recruiters ask for it, too, and you should try to ensure there's a secure method for sending them important documentation when it's otherwise unavoidable."
What if a tax identity is stolen?
If a tax identity is stolen, be prepared for a lengthy grind to get back to normal. The Identity Theft Resource Center notes it can take up to 600 hours to restore a stolen identity.
Zamora suggests using the FTC's new online resource to simplify reporting identity theft to the FTC, IRS, credit bureaus, and state and local officials. To put a point on it, she adds, "It (tax identity theft) is a serious pain in the you-know-what. That means your best bet is, you guessed it, prevention."
- AI stops identity fraud before it occurs (TechRepublic)
- Phishing gets more dangerous: New report analyzes the weapons of choice (TechRepublic)
- 10 tips for spotting a phishing email (TechRepublic)
- Your personal security guide: Phishing campaigns (ZDNet)
- Job description: Identity access management specialist (Tech Pro Research)
Information is my field...Writing is my passion...Coupling the two is my mission.