The Tax Clock is Ticking

Phishing Scams Thrive on Deadlines and Fear

Tax returns are soon due on Tuesday, April 18th, 2017, and with that looming deadline, the pressure is on to have everything done and filed correctly. All paperwork in order? All taxes accounted for? Employees all have their W-2s?

It is a pressure that phishing scammers thrive upon.

Alarm clock

When the clock is ticking, victims are often not as careful as they may be otherwise to check for an email’s legitimacy, leading them to offer up personal information, click on links to fake IRS look-alike websites, or even send money to pay for a falsified tax under threat of police action. The fear that there is so little time left results in rushed actions, just like an impulse buy at a sale, albeit flavored with accusations of tax evasion.

This year, more taxpayers have delayed filing than in 2016, further increasing the target pool for scammers as taxpayers scramble to ensure their tax returns are filed on time. 2016 already saw a record high of tax-season phishing scams, a trend that has only grown this year with increasingly creative schemes to lure in a taxpayer victim.

Examples of tax season phishing scams include:

  • Get your tax refund immediately! Confirm your personal information at this fake address or you won’t get this refund we’ve calculated that you have earned!
  • Someone else used your bank account to pay their taxes and your account was locked down. Visit this false website here to unblock your account!
  • Verify your PIN!
  • Your tax return was incomplete, fill out the missing data!
  • You under-reported your income, visit this false website to correct it or we will be forced to report you to the police.
  • Your payment was successful! Download this (trojan virus) receipt for your records.
  • You didn’t pay this extra (fake) tax, visit this false website to correct it. We may accept payment in the form of a gift card.
  • This is your boss, send me all of the employees’ W-2s! Oh, and Payroll department, please wire-transfer money to this account. I am the boss. Really.

Many of these scams may use the proper logos, have websites that look exactly like the real IRS website, or otherwise seem official through social engineering, and that is where most of their victims are ensnared. Compound these offers and alerts with the time sensitivity of the tax-season deadline, and even the most cautious recipients may still click on a link, opening the door to malware infections even if they do not directly submit any sensitive information.

baited fishing hook

Tax Preparers are also Targets

A new scam this year feigns the identity of a taxpayer who wishes to make a last-minute change to their account, specifically to where the refund will be sent. Tax preparers’ email accounts may also be compromised, giving a thief access to any confidential data exchanged with clients. The computers on which they file data may be infected with malware to gather their clients’ information, or any other sensitive data stored on that system.

What to look for:

  • Requests for personal information: the IRS will not ask for this via email, phone, fax, or social media.
  • Suspicious urls: a simple mouseover of a link can show the destination address, which are often different from what is expected. Sometimes the spoofed destination seems very similar to the real url, such as “irsgov” with no dot between the irs and gov.
  • Deadlines, threats, or fines: these are tactics used to scare a victim into action, be it to offer information, reply, click a link, or download an attachment.
  • Attachments: these are often covers for malware.

A phishing scam may have any combination of such factors, and may even spoof the email address and name of someone that you know. Always be cautious, as falling to a scam could risk your identity, your money, your company, or your clients!

Phishing scammers may not get your personal information from you directly, but if they are able to infect a computer, they are able to gain access to any files or sensitive data on that computer, or install a keylogger to record your typing and from that, glean account numbers, passwords, and anything else that is typed. They may use this to target your tax information or a company’s W-2s, impersonate employees, send out false emails, or steal from accounts and credit cards.

How to Protect Yourself and Your Company

Awareness is the greatest line of defense. Every taxpayer should be aware these scams exist, and as many people may receive such phishing messages through their work email, the risk of infection on a company’s computers and systems is a real threat.

If you’re looking for a way to expand awareness among your coworkers or employees, we at Tiro Security offer affordable security awareness training that can include phishing simulations. While the tax season is soon to end, phishing attempts are a year-round threat, and the simple preventative measure of training your staff can significantly reduce the risk of a costly mistake.