With Tax Day now just one month away income tax scammers are working overtime to separate hard working tax payers from their yearly refund, employing primarily a single tried and true method, but with a few new wrinkles added in for 2016.
The IRS is estimating income tax fraud will cost American taxpayers about $21 billion in 2016, up from around $6 million in 2014. This huge sum of money will be stolen in a variety of ways, such as, falsely filed tax returns, convincing people they owe money for back taxes or tricking them into send personally identifiable information that is then sold.
The one constant in these attacks is the method used to start the process. Phishing scams.
“The IBM X-Force reported a significant increase in the number of attacks hitting not only tax records, but the medical world too,” said IBM's Etay Maor, executive security advisor at IBM, adding these are done with a tax attack in mind as medical records are perfect for stealing identities and then filing false tax returns.
Maor noted that because they give such a complete picture of the victim medical information is worth dramatically more on the black web with healthcare records going for $50 a pop, compared to just $1 to $3 for a credit card record.
While last year saw false tax return scams making headlines, a person is most likely to be victimized through an email that says he or she owes the government money and if the amount is not paid they will be arrested or their account frozen, Satnam Narang, senior security response manager at Norton by Symantec told SCMagazine.com.
“Scare tactics are one of the most popular types of phishing,” Narang said.
Another trick Narang described takes the opposite approach. Instead of scaring the victim into paying money this one tries to be helpful by saying there is a problem with their taxes, but if the person would just complete the attached form with their personal information the issue will be fixed. That info is then taken and sold on the dark web.
The most unique twist on this bit of trickery, Narang said, try to take advantage of those few people who actually know a bit about phishing.
“Some just ask for the information to be emailed. This goes against what we normally warn against, which is clicking on a link,” he said. In this situation there are no forms to fill out or websites to visit just type in a few bits of information and hit send so it might not set off any alarm bells.
Phishing scams may be highly effective, but they are also easily guarded against if people would just keep one thing in mind, Narang said. The IRS will never email a citizen and ask for information; this request always comes via the U.S. Postal Service.
The other popular attack vector is using falsified tax returns to snatch a person's return. In this case the criminal uses information stolen or purchased to simply file a return before the victim. Then when the person sends in his or her real return a note is received saying one has already been filed.
The only way to defend against this attack is to file as early as possible leaving the bad guy without a window of opportunity, Narang said.
Two likely places cybercriminals are obtaining the information needed to pull off this attack are by swiping W-2 tax forms directly from companies or by stealing medical records.
“W-2 theft has been done before, but not on the scale we are seeing now,” Maor said, adding that IBM has seen hackers move away from hitting hard to crack banks and instead targeting the softer medical facilities and company employees with whale phishing attacks to grab the needed information.
Ironically, even if a person does everything right their information could still be at risk. The IRS itself was breached early last year with its most recent estimate that 700,000 files may have been compromised when hackers initially accessed the IRS system through its 'Get Transcript' application.