Wednesday, January 25, 2017

It's tax fraud season!

Tax season means tax fraud season. Here are a few common schemes to watch out for, along with tips to protect yourself from fraud.
1040 Individual Tax Return, by 401kcalculator. Used under license CC BY-SA 2.0

It's tax season. That means it is also tax fraud season. 

Early in the year is prime time for tax-related scams targeting both consumers and businesses. I see these start to appear around late December, but tax-related scams tend to peak in March. It makes sense that consumer scams would peak as the April 15 filing deadline approaches - but it's rather illogical that this is also true for business compromise. Employers, charities, and financial institutions are generally required to provide tax documents to consumers by January 31, so a successful business-oriented scam in March is a bit of a head-scratcher. Nonetheless, that's what the data show. 

What follow are explanations of some common tax-related threats this time of year, along with tips to protect yourself.



W-2 Phishing


In the first three months of 2016, Security journalist Steve Ragan chronicled 41 businesses that publicly reported a breach of employee W-2 data. The usual approach is a variation of phishing known as business email compromise.

Already in 2017, reports are surfacing of companies that have fallen for this scam. As I write this, Argyle (Texas) Independent School District today informed its employees that their personal data had been given to a criminal, by an employee that thought he or she was replying to a request from the district superintendent.

W-2 scams differ from most phishing scams in that the attackers do some homework. They know whom to impersonate, and whom to send the email to. Typically the email appears to come from the CEO or CFO, or (as in the case above) the superintendent. The massage often uses business-appropriate language, and may even have correct logos and signatures. The email is sent to someone that would indeed normally handle payroll data. The scammer usually asks the individual to send the W-2s directly to the sender because there is an urgent matter to deal with. 

What can you do? If you receive a request to provide sensitive employee information, verify with the apparent sender that the request is legitimate. This is particularly important if you handle payroll or employment data for a small or mid-sized company - because you are a target. It's far easier to walk down the hall or pick up the phone, than it is to recover after you've accidentally given a scammer the information they need to perpetrate identity fraud at the expense of your employees.



Fake or overdue tax payments


In 2016, I received literally dozens of phone calls to my home, from an automated robocaller mentioning an "important legal matter." The callback number differed but the subject was always the same: I owed overdue taxes to the county, or to the IRS, and faced arrest or huge fines if I did not pay the taxes immediately.

Others I have spoken with saw similar scams by email or by SMS (text message). The emails sometimes included a PDF or Word "tax bill" that instead contained malware. Sometimes the message referred to an overdue tax from a legitimate taxing authority (the city, county, state, or IRS); other times the tax was entirely made up (the most common theme was a "federal student tax").

In most cases, the scammer demanded immediate payment, often by prepaid debit cards, iTunes or Amazon gift cards, or wire transfers. These payment methods are hard to trace and may be impossible to reverse - benefiting the scammer, to the victim's chagrin.

What can you do? The IRS published a warning in December describing variations on this scheme, along with some warning signs. The IRS will never:


  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer or initiate contact by e-mail or text message. Generally, the IRS will first mail you a bill if you owe any taxes.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Ask for credit or debit card numbers over the phone.



Bogus tax preparers or tax software


This time of year there are lots of advertisements and emails promoting tax preparers and tax software. Some of the advertisements are perfectly legitimate - but it's hard to tell at a glance which are legit and which are fraudulent. 

A wry twist on this targets the tax professionals themselves: The IRS reported last year a scheme in which attackers contacted tax professionals, claiming to have an update for their professional software. Instead, the "update" installed a backdoor that stole the personal information of that professionals' clients.

What can you do? Stick to names you know (TurboTax, H&R Block, for example), or to referrals from someone you trust (such as your bank or a personal contact). 

And speaking of TurboTax, for the last 2 years they have promoted a feature of their software where you can snap a picture of your W-2, and the software will automatically extract the relevant data to fill in your tax return. As convenient as that sounds, I'm not a fan, at least not without a little forethought: photos taken on a smartphone typically sync to Apple's iCloud or Google's Drive online storage, not to mention stay in your photo roll. 


TurboTax advertising using a photo of your W-2 to import data for filing your return. I'm leery.




Fraudulent tax returns



Picture this: you've collected all your income and deductions documentation, carefully filled out your tax return, and sent it in to the IRS in time to meet the April 18* deadline. A day or two later, you get a reply from the IRS: your return was rejected because you already filed, and already received a hefty refund.

The IRS does not audit every tax return, meaning if a scammer has enough information about you, they can file a return using your social security number, but put in bogus income and withholding information to result in a significant refund due. Unless something about the return stands out, the IRS processes it as a valid return, leaving a mess to clean up with you file your genuine return later.

This is a significant enough problem that the IRS is delaying tax refunds by a few weeks this year, so they can better sift out fraud. The IRS will not issue any refunds for returns claiming the child tax credit or earned income tax credit (tax credits often abused by crooks to jack up refund amounts) before February 15.

What can you do? The single best defense against a crook filing a fraudulent return in your name, is for you to file first. By law, most employers, charities, and financial institutions must provide your tax paperwork to you by January 31.

A very good second step is to request what the IRS calls an "Identity Protection PIN" or IP PIN. This is essentially a password that goes along with your Social Security Number to identify you to the IRS; once you request an IP PIN, the IRS will not accept a tax return using your SSN unless it also includes your IP PIN. Note that the IRS has not made this available to everyone; currently elegible include residents of Florida, Georgia, and the District of Columbia, along with individuals who were previously victims of tax return fraud.

*Tax Day in 2017 is indeed April 18, due to the 15th falling on a Saturday, and Washington Emancipation Day being observed on Monday the 17th. If you happen to reside in Massachusetts or Maine, the filing deadline is Wednesday April 19th thanks to Patriots Day.



Hays County (Texas) Sheriff's Office shared some additional advice:


[Reprinted from an email to area neighborhoods]

If you get a call or email that you owe any kind of back taxes or penalties, check directly with the IRS by going to www.irs.gov (there’s even a Spanish-language option) and using its online tool to check or by calling the main IRS number 1-800-829-1040 or a local IRS office number. Don’t use any numbers/emails given you by whomever called/emailed you.

And speaking of calling/emailing: The IRS will NOT contact you by phone or email about back taxes. The IRS will send you a letter. And the IRS will NEVER ask you to pay over the phone or online. So don’t fall for giving out a credit card, debit card, prepaid card, iTunes card (really, one scam asks for that), etc.

If you do owe taxes, you can set up a payment plan in some instances so check with the IRS about doing that if you need to. Also, on the IRS page is a free e-filing option (you don’t have to pay a company to file your taxes electronically).

Fight back: You can forward shady tax-related emails to phishingirs.gov and report suspicious phone calls to the Treasury Inspector General for Tax Administration (https://www.treasury.gov/tigta/) and the Federal Trade Commission (https://www.ftc.gov/). Collecting these reports recently helped the Department of Justice indict dozens of people in an alleged international call-center fraud scheme.



Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

No comments:

Post a Comment

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.