Phishing Scams & Tax-Related Identity Theft Revealed
Author: Shawn Loader
Phishing scams and identity theft affect an ever-broadening scope of targets and often leave victims feeling helpless. Below are some recent statistics on tax-related identity theft from the IRS:
- The IRS successfully stopped 19 million fraudulent returns requesting $63 billion in refunds in 2015.
- An estimated $5.8 billion was paid out for suspected fraudulent claims.
- In 2015, 724,000 records from the IRS Get Transcript service were compromised, and an additional 295,000 attempts to access taxpayer records were detected but unsuccessful.
- The taxpayers’ children are becoming an increasingly common target since many taxpayers aren’t vigilant about regularly following up on a child’s credit or tax filing history.
- Thirty percent of identity theft cases are perpetrated by family members.
Tax-Related Individual Identity Theft
If an attempt to obtain confidential information or coerce payment appears questionable, in many cases it probably is. To combat tax-related identity theft, taxpayers should be aware of what the IRS does and doesn’t do to notify them of an issue on their account. The IRS never uses these practices commonly linked to tax identity thieves:
- Initiating unsolicited phone calls, texts or emails regarding an account issue or deficiency without first sending a written notice (The first method of contact always will be through official IRS correspondence in the mail.)
- Confirming or verifying key information with a taxpayer
- Demanding immediate payment of taxes
- Requiring a specific payment method for the tax liability
- Threatening a visit from local law enforcement agents to a taxpayer’s home or place of business unless the debt is paid
- Using forceful or punishing language to coerce payment from a taxpayer through intimidation
Scammers frequently use common names, provide fake IRS titles and badge numbers and mask their email address or phone number to make themselves appear legitimate. The impersonator may know some of a target’s personal information, such as the last four digits of a Social Security number, and may use it to try to extract additional identifying information from a taxpayer. Identity thieves often use the team approach to reinforce their claims. For example, a second scammer may call a target shortly after the first one, claiming to be following up on the debt.
Another tactic for obtaining confidential information is social engineering—manipulating an individual’s desire to avoid conflict with taxing authorities. Former computer hacker Kevin Mitnick, who now uses his experience to help employers and individuals improve their security standing, knows social engineering is often effective: “It’s much easier to hack a human than a computer because computers follow instructions, they don’t vary—humans go by emotion … so it’s not hard to socially engineer someone—especially if they haven’t been burned before.”
During the 2015 tax filing season, there were an unprecedented number of tax-related identity theft cases. Likewise, the 2016 season already has seen an uptick in fraudulent activity. To address this issue, the IRS has introduced some changes: initializing due date changes, addressing system security flaws, delaying payment of refunds and requiring that affected taxpayers use verification pins when filing. Many state revenue departments have taken similar steps and redesigned their tax reporting forms to allow taxpayers to submit their driver’s license information as an additional layer of identification.
To avoid becoming a target, you should limit opportunities for tax identity thieves to access your sensitive information. Some best practices include:
- Shred documents with names, addresses, birth dates and similar identifiable information you don’t need
- Control the information you communicate through insecure channels like email and file-sharing sites
- Manage privacy settings and content on social media accounts
- Keep your computer and antivirus software up to date on business and personal machines
- Be aware of security risks of using smartphones or other portable devices to access or store sensitive information
Tax-Related Business Identity Theft
Businesses also need to be diligent about safeguarding their information. The IRS recently released an alert to human resources and payroll professionals warning against unauthorized attempts to gain access to bulk employee records like the Form W-2. Identity thieves are sending spoofing emails that appear to be from a member of an employer’s leadership team requesting electronic copies of sensitive employee records. Similar schemes mimic a funds transfer request from a CEO or CFO with an implied sense of urgency. To prevent these attacks and safeguard company assets, it’s crucial to raise employee awareness and follow up properly.
BKD offers a wide range of IT Risk Services to help businesses identify and manage the threat of data breaches. These services include an evaluation of your organization’s exposure to social engineering as well as efforts to raise employee awareness through simulated pretext phone calling, spoofing, phishing, physical access attempts and the use of malware and counterfeit websites. Learn more about our cybersecurity solutions.
Knowledge of the tactics used by scammers and identity thieves—along with a healthy skepticism about unusual requests—are key elements of safeguarding confidential personal and business information. If you’ve been affected by tax-related identity theft, a recent BKD article offers additional information about what to do. Contact your BKD advisor to discuss the specifics of a suspicious request and any follow-up that may be warranted.