It's that time of year again! Individuals and businesses alike are busy preparing to file their taxes. They have until 17 April, 2018 to file with the U.S. Internal Revenue Service (IRS).
The IRS is well-aware of this looming deadline. Just as it knows fraudsters will try to prey upon taxpayers, employers and tax professionals leading up to that date.
To protect Americans, the government agency is warning of various tax-related ploys and fraudulent schemes. Here are four types of particular scams that payers, professionals, and businesses should keep an eye out for.
This scam begins after attackers have stolen tax professionals' data and leveraged that information to file fraudulent tax returns in the names of their clients. The bad actors choose to deposit the returns into taxpayers' bank accounts and then contact them claiming they must return a tax refund that was erroneously deposited into their accounts.
The IRS has detected multiple variants of this scheme. In one version, criminals pose as a debt collection agency acting on behalf of the IRS. In another, the bad actor poses as an IRS employee and threatens to "blacklist" the victim's Social Security Number along with file for an arrest warrant and press criminal charges.
Taxpayers who receive a legitimate erroneous refund should work with their financial organization to refund the funds to the IRS. For more information on how to return an erroneous refund, please follow the revenue service's advice here.
IRS-Impersonation Telephone Calls
Attackers have been impersonating IRS agents for some time now. In the latest variants of this ruse, fraudsters call up unsuspecting taxpayers. They claim to have their tax return and say they just need to verify some of their target's personal and financial information like Social Security Numbers and payment card details.
IRS Commissioner John Koskinen notes these newest attacks are just more of the same.
"These schemes continue to adapt and evolve in an attempt to catch people off guard just as they are preparing their tax returns," explains Koskinen in an IRS consumer alert. "Don't be fooled. The IRS won’t be calling you out of the blue asking you to verify your personal tax information or aggressively threatening you to make an immediate payment."
To protect themselves against these ploys, taxpayers must remember that the IRS will never call them and demand immediate payment over the phone. If they have any doubt whether they owe outstanding taxes, they should hang up and call the IRS directly to speak to a representative.
"Unlock" Tax Software Accounts Ruse
Nefarious individuals don't just target taxpayers. They also go after tax professionals in order to steal their data.
To increase their chances of success, attackers use a variety of techniques. One emerging ruse begins when a tax professional receives an email with the subject line "Access Locked." The email tells the professional that their access to tax preparation software has been "suspended due to errors in your security details." The email comes with a link that they can use to supposedly unlock their access.
Of course, the targeted tax professional never lost access to their tax preparation software, so the link doesn't help them unlock their access. Instead it directs them to a fake website designed to steal their credentials for the software. Attackers can then abuse those details to access the professional's account, steal their client's data, and use it to send out erroneous refunds.
Tax professionals can protect themselves against this type of scam by avoiding suspicious links and email attachments. They can also verify whether they no longer have access to their tax preparation software. But before they do, they should scan for malware just in case attackers have compromised their computers.
Form W-2 Scam
Businesses are the intended target of the final ruse discussed in this article: form W-2 scams. This scheme requires a little more work on the part of criminals. First, they research their intended target organizations and hone in on executives, school administrators, and others in positions of power. Next, they conduct a business email compromise (BES) attack to seize control of their email accounts. Posing as the victim, they then send out emails to payroll personnel and request W-2 information on all employees.
Many criminals don't stop there once they've received that data, either. According to the IRS, many monetize the information on the dark web, allowing others to target the victims for subsequent crimes. Other crijminals will use the compromised email to authorize a fraudulent wire transfer to a bank account under their control.
Employers can protect themselves against form W-2 scams by instituting business controls that limit the number of employees who handle W-2 information. They should also create policies consisting of additional steps which employees must follow in order to obtain the proper authorization for a wire transfer request.
What to Do If You Discover a Tax-Related Scam
In the event a taxpayer, tax professional or employer discovers one of the scam types discussed above, they should report it to the IRS. Phishing emails should be sent to firstname.lastname@example.org whereas instances of successful W-2 scams should be directed to email@example.com. They should also consider notifying the police if they've lost funds and/or sensitive information as a result of a tax-related scam.
Stay safe, everyone, and happy filing!