Tag Archives: irs

Phishing for tax returns: Where's your refund?

The use of phishing scams, phone scams and computer hacking seems to multiply daily. The object of the scams and hacks: getting your tax refund. How? By the scammers and hackers filing a false tax return on your behalf. It’s more common than you think. Part of the problem is that those darn phishing emails look so real, including company logos, brand identity, signature blocks and even the photo of the alleged sender of the email.

These scams are not new, but many of them continue to succeed. Last year, phishing emails were so prevalent that it prompted the IRS to issue a special alert. It’s becoming common practice for IT departments at many companies to introduce “fake” phishing threats to train their employees on what not to do. These are essentially planned attacks from a known source. Employees learn how to recognize a phishing email using various techniques, such as looking for misspellings, incorrect domains and hovering over any links embedded in the body of the email. More importantly, they learn what to do, and what not to do: DO report the suspicious email to the help desk and delete the email; DON’T reply to the email, click on any links in the email, or open any attachments to the email.

Phone scams also continue to cause people to give out information over the phone that they should not. The IRS recently warned consumers about this, and offered practical information about what the IRS does NOT do. Importantly, the IRS does not make phone calls and won’t contact you by email to request personal or financial information!

But scams are also the result of computer hacking, perhaps as a result of brute force attacks, where organized crime syndicates are infiltrating accountants and human resource departments at companies, and gaining access to prior years’ tax returns, wage and payroll information, social security numbers, and much more. The targets may include accounting firms and tax professionals that have on hand a massive amount of pertinent taxpayer information.

In fact, the IRS warned during the 2016 tax season that tax fraud is on the rise. The IRS has published some common sense guidelines on some basic do’s and don’ts to avoid tax fraud, such as this that can be found here.

Recently, the IRS, state tax agencies and members of the tax industry (members of the Security Summit Initiative) warned tax professionals about a new phishing email scam where the scammers impersonate software providers. The scam email comes with a subject line, “Access Locked” and tells recipients that access to their tax preparation software has been “suspended due to errors in your security details.” The scam email asks the tax professional to address the issue by using an “unlock” link provided in the email. If clicked, the link takes the tax professional to a fake web page, where they are asked to enter their user name and password. Instead of unlocking accounts, the tax professionals actually are providing their information to cybercriminals who use the stolen credentials to access the preparers’ accounts and to steal client information. The Security Summit Initiative reminds tax professionals and taxpayers to never open a link or an attachment from a suspicious email, and that these scams increase during the tax season. Also, coming in 2017 are new safeguards that are aimed at those who prepare their own federal and state tax returns using tax software.

Law enforcement also warns about tax fraud schemes designed to defraud individuals. The FBI recently issued warnings about fraudulent tax schemes, and noted that it receives hundreds of complaints of tax-related fraud during this time of year as criminals scam you and the IRS, using your name. You can also hear the audio transcript of this warning here.

And, keep in mind that if you are a company that has been targeted, and personally identifiable information about your individual clients, customers, employees, or other individuals has been breached, you will have other headaches beyond the possibility of fraudulent tax returns. Forty seven states in the U.S. and the District of Columbia, require companies to provide consumers with notification if their personally identifiable information is compromised. While similar in concept, the state laws vary and you will need to comply with each state’s law. The state law that will govern the requirement to notify is the state in which the individual whose information has been compromised resides, not the state in which the breach occurred. Thus, for companies that conduct business across the U.S., a single instance of a breach of data may require that notifications be given that are compliant with forty-eight different laws. Offering free credit monitoring to those individuals has also become a defacto standard in responding to a data breach.

Beyond notification to individuals, consider involving the FBI or other law enforcement so that facts and patterns of criminal activity can be evaluated and monitored. InfraGard (see https://www.infragard.org/) is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence, and one of its focus areas is cybercrime.

If your company is a victim and is faced with the potential for a multitude of fraudulent tax filings, there are resources at the state and federal level who will work with you to determine if they can put a freeze on processing returns from an identified list of stolen social security numbers until the true identity of the taxpayer is verified. That will stop the bleeding, at least as far as tax returns are concerned.

New phishing scam targets ed in search of W-2 forms

Dive Brief:

  • A dangerous new phishing scheme is targeting employee W-2 forms, and both school districts and colleges have already been targeted.
  • The scam relies on spoof emails supposedly sent from administrators or financial departments requesting sensitive information, including tax forms. 
  • Experts suggest accounting and HR teams remain vigilant and that IT departments alert staff about the issue. When accounting forms are sent electronically, they should be encrypted, and suspicious emails can also be forwarded to the IRS, which has set up a site explaining the scams in more detail.

Dive Insight:

As previously reported, education has fast become one of the most popular targets for hackers looking to invade networks, thanks to the number of devices on school networks and the sometimes haphazard patching and OS maintenance on those devices. Various outdated servers, which may still occasionally be used by staff, can offer convenient backdoors into the larger network.

In addition to phishing scams, schools have also been contending with a rise in DDoS, or denial of service attacks, which can cripple a network’s internet access, often initiated by students during crucial periods, such as during high stakes online testing. Ransomware attacks, where district files are held hostage for payment, usually in untraceable bitcoin, leaving them with the choice of wiping serves and restarting from backups or paying ransoms that can approach $10,000.

All these attacks are preventable, say experts, provided IT teams remain proactive in protecting their networks and also educating staff on how to stay safe.

Top image credit: Fotolia

Before phishing scam came along, report showed San Marcos at risk

Posted: 7:58 a.m. Saturday, March 25, 2017

More than a year before the February phishing attack that led a San Marcos employee to accidentally leak hundreds of W-2 forms, an assessment identified the city’s lack of cybersecurity training as a vulnerability.

The assessment, completed in the fall of 2015 by SHI Security Services, found that the city didn’t have a security awareness training program. The finding was one of a dozen low- and high-risk vulnerabilities listed in a draft version of the report obtained by the American-Statesman and was described as “the easiest to solve.”

RELATED: How hundreds of W-2s were stolen in San Marcos

A follow-up test was conducted with the city’s blessing, according to the city’s former information technology infrastructure manager, Lenora Newsom. The test found a number of San Marcos employees fell for a simulated phishing email sent with the help of a security consultant, Newsom said.

The city’s IT director purchased a one-year employee training package from that consultant, KnowBe4, but the plans to roll out the training took longer than expected, city spokeswoman Kristi Wyatt said. The IT department submitted a budget request last year to extend the subscription, she said, but that request was denied during the fiscal 2017 budgeting process.

Newsom, who left the city in August 2016, was one of more than 800 current and former employees whose W-2s were stolen last month. When the city notified her of the breach, Newsom said she was infuriated.

“I thought, ‘Are you kidding me? I worked really hard to prevent this,’” Newsom said. “I believe that San Marcos is ahead of a lot of places in the IT realm … but this was a piece that, well, in my opinion, was not taken seriously.”

Wyatt confirmed that the city doesn’t have mandatory cybersecurity training for employees outside of its information technology department. Rather, managers periodically send emails to employees with educational materials and information about the latest hacking trends, and human resources employees talk to new hires about cybersecurity, Wyatt said.

The city’s IT director is working on creating a training program and on Friday held its first citywide, in-person training on security, Wyatt said.

“The city will continue to provide security awareness and expand training to all employees,” Wyatt said. “Training is only one factor in protecting our information from scammers. … In many incidents, including our recent attack, human error plays a role. While we can’t prevent every possible breach, we can and have taken steps to limit our exposure.”

City focusing on improvements

The report by SHI Security Services described the lack of training as a “low-risk” finding. But it noted that the “issues described represent a demonstrable risk of service interruption and/or theft of sensitive data with a medium- or high-level of exploit skills.”

City officials declined to comment on the draft report obtained by the Statesman.

“The recent phishing incident is currently being investigated by the San Marcos Police Department, and the city is also working closely with the IRS and the FBI,” Wyatt said, adding that “further discussions could further compromise our security situation.”

Mike Sturm, the city’s IT director, wasn’t available for an interview Friday. But he said in an emailed statement that, after buying the training package from KnowBe4, the department began “evaluating, testing, and developing a plan to implement training across the organization.”

Wyatt was unable to provide information about why the city didn’t approve the IT department’s request to extend the subscription for the KnowBe4 training package during the fiscal 2017 budgeting process.

Stu Sjouwerman, CEO of KnowBe4, said he couldn’t speak about any specific customer, but said sending educational emails and going over information with new employees isn’t a strong enough method of preventing breaches.

Sjouwerman said his company has had success in reducing its customers’ vulnerability to attacks by training. In one example he offered, a customer went from about 16 percent of its employees falling for simulated attacks to 1 percent.

“There will always be somebody who has an off day and falls for that attack anyway,” he said. “But it’s dramatically less” with training.

Luck ran out

The type of attack that duped the San Marcos employee in February, in which a hacker impersonates a familiar contact to trick someone into forwarding confidential information, is called “CEO fraud” and is increasingly common, Sjouwerman said.

In February, the IRS issued a warning about such a W-2 phishing scam that had initially targeted the corporate sector but had spread to other areas, including school districts, tribal organizations and nonprofits.

That same month, employees of Belton school district’s business office released W-2 forms for about 1,700 current and former district workers after being targeted by a phishing email that appeared to be from the district’s superintendent. The forms include sensitive information, such as Social Security numbers, and some hackers use the information to file fraudulent tax returns seeking refunds.

In the case of the San Marcos breach, city officials have said, the email requesting the information was made to look as if it came from the mayor. Sjouwerman said hackers can configure such emails using a forged address.

That’s why it’s so important for employees be trained to recognize and flag suspicious emails, he said.

In a June 29, 2016, email obtained by the Statesman, Sturm requested that employees of the human resources department incorporate the KnowBe4 software into new hires’ training — right away.

“There are so many phishing emails and direct calls going around, that if a new employee doesn’t understand the risk on their first day, there is huge security risk to the City,” Sturm wrote. “Yes, we have been lucky so far.”