Phishing for tax returns: Where's your refund?

The use of phishing scams, phone scams and computer hacking seems to multiply daily. The object of the scams and hacks: getting your tax refund. How? By the scammers and hackers filing a false tax return on your behalf. It’s more common than you think. Part of the problem is that those darn phishing emails look so real, including company logos, brand identity, signature blocks and even the photo of the alleged sender of the email.

These scams are not new, but many of them continue to succeed. Last year, phishing emails were so prevalent that it prompted the IRS to issue a special alert. It’s becoming common practice for IT departments at many companies to introduce “fake” phishing threats to train their employees on what not to do. These are essentially planned attacks from a known source. Employees learn how to recognize a phishing email using various techniques, such as looking for misspellings, incorrect domains and hovering over any links embedded in the body of the email. More importantly, they learn what to do, and what not to do: DO report the suspicious email to the help desk and delete the email; DON’T reply to the email, click on any links in the email, or open any attachments to the email.

Phone scams also continue to cause people to give out information over the phone that they should not. The IRS recently warned consumers about this, and offered practical information about what the IRS does NOT do. Importantly, the IRS does not make phone calls and won’t contact you by email to request personal or financial information!

But scams are also the result of computer hacking, perhaps as a result of brute force attacks, where organized crime syndicates are infiltrating accountants and human resource departments at companies, and gaining access to prior years’ tax returns, wage and payroll information, social security numbers, and much more. The targets may include accounting firms and tax professionals that have on hand a massive amount of pertinent taxpayer information.

In fact, the IRS warned during the 2016 tax season that tax fraud is on the rise. The IRS has published some common sense guidelines on some basic do’s and don’ts to avoid tax fraud, such as this that can be found here.

Recently, the IRS, state tax agencies and members of the tax industry (members of the Security Summit Initiative) warned tax professionals about a new phishing email scam where the scammers impersonate software providers. The scam email comes with a subject line, “Access Locked” and tells recipients that access to their tax preparation software has been “suspended due to errors in your security details.” The scam email asks the tax professional to address the issue by using an “unlock” link provided in the email. If clicked, the link takes the tax professional to a fake web page, where they are asked to enter their user name and password. Instead of unlocking accounts, the tax professionals actually are providing their information to cybercriminals who use the stolen credentials to access the preparers’ accounts and to steal client information. The Security Summit Initiative reminds tax professionals and taxpayers to never open a link or an attachment from a suspicious email, and that these scams increase during the tax season. Also, coming in 2017 are new safeguards that are aimed at those who prepare their own federal and state tax returns using tax software.

Law enforcement also warns about tax fraud schemes designed to defraud individuals. The FBI recently issued warnings about fraudulent tax schemes, and noted that it receives hundreds of complaints of tax-related fraud during this time of year as criminals scam you and the IRS, using your name. You can also hear the audio transcript of this warning here.

And, keep in mind that if you are a company that has been targeted, and personally identifiable information about your individual clients, customers, employees, or other individuals has been breached, you will have other headaches beyond the possibility of fraudulent tax returns. Forty seven states in the U.S. and the District of Columbia, require companies to provide consumers with notification if their personally identifiable information is compromised. While similar in concept, the state laws vary and you will need to comply with each state’s law. The state law that will govern the requirement to notify is the state in which the individual whose information has been compromised resides, not the state in which the breach occurred. Thus, for companies that conduct business across the U.S., a single instance of a breach of data may require that notifications be given that are compliant with forty-eight different laws. Offering free credit monitoring to those individuals has also become a defacto standard in responding to a data breach.

Beyond notification to individuals, consider involving the FBI or other law enforcement so that facts and patterns of criminal activity can be evaluated and monitored. InfraGard (see is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence, and one of its focus areas is cybercrime.

If your company is a victim and is faced with the potential for a multitude of fraudulent tax filings, there are resources at the state and federal level who will work with you to determine if they can put a freeze on processing returns from an identified list of stolen social security numbers until the true identity of the taxpayer is verified. That will stop the bleeding, at least as far as tax returns are concerned.

New phishing scam targets ed in search of W-2 forms

Dive Brief:

  • A dangerous new phishing scheme is targeting employee W-2 forms, and both school districts and colleges have already been targeted.
  • The scam relies on spoof emails supposedly sent from administrators or financial departments requesting sensitive information, including tax forms. 
  • Experts suggest accounting and HR teams remain vigilant and that IT departments alert staff about the issue. When accounting forms are sent electronically, they should be encrypted, and suspicious emails can also be forwarded to the IRS, which has set up a site explaining the scams in more detail.

Dive Insight:

As previously reported, education has fast become one of the most popular targets for hackers looking to invade networks, thanks to the number of devices on school networks and the sometimes haphazard patching and OS maintenance on those devices. Various outdated servers, which may still occasionally be used by staff, can offer convenient backdoors into the larger network.

In addition to phishing scams, schools have also been contending with a rise in DDoS, or denial of service attacks, which can cripple a network’s internet access, often initiated by students during crucial periods, such as during high stakes online testing. Ransomware attacks, where district files are held hostage for payment, usually in untraceable bitcoin, leaving them with the choice of wiping serves and restarting from backups or paying ransoms that can approach $10,000.

All these attacks are preventable, say experts, provided IT teams remain proactive in protecting their networks and also educating staff on how to stay safe.

Top image credit: Fotolia

Tax Season Is Prime Time for Spear Phishers

You may not love tax season, but spear phishers certainly do: They leverage unencrypted email, poor firewalls, and general social engineering to steal taxpayers’ and organizations’ tax returns in hopes of garnering a refund and/or nonpublic information (NPI). Making matters worse is that these attacks are, in many ways, easier to wage than filing a return.

Email should be considered as secure as the server it’s hosted on, which–depending on the server–could be either extremely secure or extremely vulnerable. Normally, a cybercriminal looking to steal some returns will try to hack the server, which is why it’s good practice (and, in some cases, federally or state-mandated) to transmit financial information, including corporate tax returns, via encrypted messaging. If cybercriminals can’t get access to the server, their next best option is to target those who have access, like an IT admin.

January to mid-April is the prime time for criminals to try to convince susceptible employees to hand over private company information, including tax returns, company bank account information, and employee information including healthcare and W-2 files. Many organizations naively believe that this could never happen to them. However, a quick search online can usually show the prevalent dangers of these sorts of attacks. Companies like Snapchat, Seagate, Polycom, Advance Auto Parts, and, yes, even hospitals, schools, and utility companies have all been victims of spear phishing.

At AppRiver, we have seen the spike in phishing traffic already occurring this tax season. The beginning of the year is typically when taxpayers anticipating big refunds rush to have their returns filed, while taxpayers who owe usually procrastinate until the last second. For these reasons we anticipate that phishing traffic will continue to dwindle until the very end of tax season, with perhaps another small push toward the deadline.
So, how do criminals identify a potential target? It’s easy. First, they’ll search for a company on social media sites like Facebook and LinkedIn. Nowadays, it’s more uncommon than not for social media users to list their employment on their social media profiles, or even have a dedicated online resume (on LinkedIn, for example). In a company with more than 50 employees, odds are at least one person from finance has listed his or her employment on a social media account.

After choosing a target, the criminal will either spoof the company’s domain to create an email address that appears to come from a high-level executive, like the CEO, or create a similar one that most employees wouldn’t catch. An example would be using .net instead of .com, or adding an extra letter in the domain.

When an outside criminal crafts an email in such a way that it looks to be internal, some users will trust them without digging deeply enough. And that’s the core component to spear phishing. A criminal doesn’t need to be a hacker or gain access to secure internal systems. If someone can send convincing, legitimate-appearing emails, employees may hand over sensitive information and be none the wiser.

While right now this tactic is used to get W2s, NPI and tax returns, tactics along the same lines are used year-round–for example, using wire transfer fraud emails to dupe employees to wire tens of thousands of dollars from companies’ accounts to dummy accounts set up by the criminals. The FBI refers to these as Business Email Compromise (BEC) messages. The broader interpretation is any external email that claims to be from an internal user (like the CEO) who wants an employee to do something that compromises the integrity of business operations. This is a very dangerous attack vector because of how successful it is. The total damage companies face is in the millions each year.

So how does one avoid spear phishing, wire transfer fraud and BEC year round?

Unfortunately, there’s no panacea when it comes to blocking spear phishing attempts. However, there are some steps an organization can take to combat them:

  • Use encrypted email. It should be company policy that certain bits of sensitive data should always be encrypted when sent via email. Ideally, no such information would ever be sent externally; but, if it was, with this protocol the data would still ideally remain secured and unusable by the third-party.
  • Look at the recipient address when replying. A quick glance to the “To:” address when replying could potentially stop many of the spear phishing attacks. Criminals like to use things like freemail accounts (Outlook, Gmail, Yahoo, etc.) in the “Reply To:” field in a message in when phishing. This is only visible to most users once they go to reply. If they are willing to spend a few dollars, they even register domain names very similar to the victim’s domain.
  • Use two-factor verification. Having a company policy where it’s acceptable to transfer $50k with a single email request is a bit loose with the coffers. It’s best for everyone if there is a second verification in place, such as a quick office visit or phone call. Same with sending around something like all employees W-2 files.
  • Hover over links in messages. Spear phishing attacks sometimes aim just a single email communication to get through to a user, with no back and forth requires. Such an attack might include providing a phishing link looking for an employee’s email login, linking all the information to do a wire transfer for an external site, or even providing a link for an employee to upload sensitive company data. Knowing where you are going online by hovering, as well as glancing at, URLs once you are there is a common security tactic that some people need to follow more closely.
  • Don’t be afraid of your boss. Yeah, this can be a tough one. But some of these spear phishing emails rely on using the CEO name as a strong-arm to get an employee to do something. By writing the text in a way that sounds urgent or demanding, some employees may forgo any set policy and bypass procedures in place to please their boss. After all, they think the CEO is ordering them to. Obviously, questioning every order that comes down isn’t feasible or advisable, but, again, there are certain things like sending W-2s and wire transfers that should have set policies in place where everyone follows them no matter what. It’s better to question all wire transfers than to miss that one and send $20k to some foreign account.
  • Use an email filter. This may be obvious, but many email filters have advanced features and tests that can catch these sorts of attacks that people may not be aware of. At AppRiver, we have an advanced spear phishing test that can look for these types of low-key phishing email tactics and stop them. If you have a filter service that doesn’t have spear phishing features in it, you can even do something like block external email using your domain name in it: Any email using your domain name, but coming from somewhere that’s not your own server, gets blocked. Or you can enable SPF on your own domain and verify that on any incoming messages.

Guest blogs such as this one are published monthly and are part of Talkin’ Cloud’s annual platinum sponsorship.