Sign up to our newsletter
The latest security news direct to your inbox
Have you seen those bogus emails pretending to come from the Internal Revenue Service, the ones that lead you to infected websites or try to fool you into opening infected attachments? Have you heard of scammers filing your taxes for you and getting your refund? Hopefully you have, and hopefully you have avoided becoming a victim of the creeps who engage in this sort of activity.
To be on the safe side, you might want to look over the following answers to common questions about tax season scams in America and advice about fending off the malicious activity that seeks to exploit tax matters..
Q. How hard is it to tell if an email or text message is truly from the IRS?
A. Not hard at all, because unless you asked the IRS to send you that message, it is a fake. Here is the official IRS statement on this subject:
The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.
In other words, you can delete unexpected email or SMS purporting to come from the IRS. You should most definitely not click on any links in unsolicited messages, or download or open any attachments to such messages. Consider this example of malicious IRS email:
You probably noticed that there are three words spelled incorrectly in the first three sentences, a sign that this is most likely a fake email. But you don’t even need to read the thing to know it is fake: the IRS simply does not send messages like this.
If you do read the message you will see that it asks you to open an attachment. That attachment is a file which will, if you click on it, infect your computer with malware. This malware could make your computer a part of a botnet used for denial of service attacks or spamming, or it could steal your credentials for sale on the black market. We recently presented some analysis of a Trojan program called Zortob.b which is known to use fake IRS emails.
Q. Why do criminals keep sending such messages?
A. Because they work. Despite the efforts of the IRS to inform the public, efforts like this comprehensive anti-phishing page, there are still people who either haven’t heard of these scams or are so eager to get their tax refund, or avoid trouble with the IRS, that they ignore their better judgment.
On top of this is the sad fact that a lot of people still don’t use good “anti” software, namely anti-virus, anti-spam and anti-phishing (you can often get all three of these rolled into one with products like ESET Smart Security). Using security software stops these types of attacks at multiple levels:
You can read all about how anti-phishing works in this very informative article in ESET’s Knowledgebase. After all, it is a lot better to see something like this than a notice that your credit card account has been hacked:
Q. What is tax identity fraud and how can I prevent it?
A. Tax identity fraud is not typically perpetrated directly through online scams. Criminals engage the IRS directly, seeking refunds in the name of other people. True, those “other people” may be victimized because their personal details were stolen in some criminal online trespass or hack, but the criminal may also get a valid set of credentials (name plus matching Social Security number) from non-digital sources.
Unfortunately, there is a limit to what consumers can do right now to prevent tax identity fraud because there are gaping holes in the way the IRS processes electronic tax returns, refunds, and payments. Until these holes are closed, criminals will continue to regard tax identity fraud as an appealing activity with high reward and low risk. However, there are some defensive measures you can take:
1. Order your IRS Transcript to see what the IRS has on record for you in terms of tax payments and refunds. Just Google “IRS transcript” and you can find how to do this at irs.gov.
2. File early to limit the opportunity for fraud in the current filing period. However, this will not stop estimated tax fraud where a criminal uses your bank account number and bank routing number to make an estimated tax payment to the IRS on behalf of a stolen name and Social Security number, then claim a refund which the IRS pays to an account under the control of the scammer.
3. Monitor your bank accounts, which is always a good idea when there are so many people trying to get away with bogus charges these days. Try to review account transactions once a week and immediately alert your bank when you see something that you didn’t authorize. Note that some banks have alert services that will email you every time money is taken out of your account. (I get an alert every day letting me know my balance so a large and unexpected reduction in that balance would set off alarm bells; the downside is that anyone who hacks into my email will know how much I have in that account.)
4. Ask your bank to put an ACH debit block on your account. This prevents crooks taking money with this type of transfer, however, it could prevent you executing legitimate online or over-the-phone electronic payments.
5. Exercise vigilance over all bank account information and your Social Security number, at all times. These are the ingredients for tax identity fraud and you don’t want to make it any easier than it already is for the bad guys by being careless with this information.
Q. What’s the safest way to file my taxes?
A. Here’s my personal opinion: use a reputable tax preparer, preferably one referred by a trusted friend who has used them in the past. Sadly, even this is no guarantee that you won’t become a tax-identity theft victim. If you do, you should immediately seek out the IRS Identity Protection Specialized Unit or the Taxpayer Advocate Service.
Q. Is the IRS working to prevent fraud?
A. Yes. The IRS has some of the world’s best anti-fraud experts, and some of the world’s best information security experts, but like any large organization, fielding those experts and making the most of their skills and expertise is difficult. Congress has repeatedly cut the budget for the IRS while pushing for faster processing of returns and refunds. It would be a miracle if those pressures did nothing to hamper the efforts of the IRS to combat fraud.
Make no mistake, some perpetrators of identity fraud are arrested and convicted, but not enough yet to deter an army of aspiring scammers looking for their slice of the billions of dollars the IRS pays out every year in fraudulent refunds.
Q. What problems can occur if I am a victim of tax identity fraud?
A. You could potentially find the IRS asking you to return money that it paid out in your name to a scam artist. And it might take you a long time to resolve the issues (according to the Wall Street Journal, the IRS has a backlog of 650,000 tax identity fraud cases).
You could also find yourself turned down for a loan because of discrepancies between your tax record and those that the IRS has (because the IRS was tricked into accepting a return that is way different from your real situation).
Q. When are tax fraud problems at their worst?
A. There are some “hotspots” in online tax fraud, notably the opening weeks of filing season when scammers can submit returns with fake W2 information. The IRS does not get the W2 information from many employers until the end of March (even then, there is no cross-checking of W2s to verify that information on tax returns corresponds to a real job). However, the fact that businesses and professionals pay taxes throughout the year in the form of estimated payments makes tax identity fraud a profitable year-round criminal endeavor.
Q. What are some other scams around tax time?
A. The rule that “if something is too good to be true, it is” applies here. If your tax preparer claims that you don’t legally need to pay any taxes (when your income determines you do), or that you should set up phony offshore corporations to skirt taxes, or that you should sign off on them getting the IRS refund check and then giving you the remainder “after a small fee”, run the other way. Remember, if you fall for these scams, you’ll still have to pay once you get caught, regardless of what bad advice you got.
Q. Any more advice?
A. Make sure you keep your security software active and updated, and check out this IRS video on YouTube:
Author Stephen Cobb, ESET