It’s tax season for everyone, which means it’s also fraud season. And with the deadline coming up and people rushing to get their taxes submitted on time, it is still critical to remain vigilant, especially if you are planning to file your taxes online.
According to Threatpost, “A 400 percent surge in tax-related phishing and malware incidents is making this tax season the most treacherous yet for taxpayers.” By the end of February, this year’s 1,389 incidents already topped the 2014 yearly total of 1,361 and is already halfway to matching the 2015 total of 2,748.
Further, an audit released recently by Internet security nonprofit the Online Trust Alliance found that 46 percent, or 6 out of 13 tax software websites in an IRS program, failed cybersecurity protocols. Some of the websites had issues with lack of email authentication, according to the OTA, which lets cyber criminals send out phishing emails purporting to be from a company. Other sites had vulnerabilities that could lead to personal information being stolen.
Poor security practices and extensive seasonal fraudulent attempts, combined with everyone filing taxes online will only make company and individual data more susceptible to attack. It is critical to be aware of the scams that could make their way to any company’s inbox, as well as to know how best to prevent such attacks from happening in the first place.
In 2015, criminals exploited the IRS “Get Transcript” database and obtained personal information and previous year tax returns from more than 330,000 taxpayers. This year’s attacks have included the tried-and-true email phishing. However, there have been newer forms of attacks that include bogus text messages and attempts to trick people into handing over credentials to third-party tax preparation service accounts, as well as fake web ads appearing to be for legitimate e-file companies that download malware when consumers click on them.
The IRS says attackers are also attempting to harvest personal information that could be used to file false tax returns. Scams include email with links to malware-laden websites that install keyloggers. Additionally, the IRS said tax professionals are reporting phishing scams that are seeking their online credentials to IRS services, for example the IRS Tax Professional PTIN System."The sophistication of cybercriminals is a lot more advanced than a few years ago. It's hard for the average consumer to tell [if a website or email is legitimate]," said Jason Sabin, chief security officer at DigiCert, in this article. He said that filing firms should up their standards in the face of widespread chicanery.
Personal information filed away in companies isn’t safe from attack either; this year scammers have leveraged phishing to gain access to W2 information at several firms, including technology powerhouse Seagate. In February, a hacker targeted Central Concrete Supply Co. by posing as an employee and requesting W2 information. The same scam was used against Mercy Housing Inc., resulting in the company exposing W2 information for all active employees.
The following tips will aid in ensuring company-wide security or personal security:For Enterprises:
Whether the hacks are social engineered or intelligent hacks, the security vulnerabilities around tax season require increased precautions on both the enterprise and individual level. By improving security practices, enterprises and individuals alike will better avoid the dilemmas and expense of attacks—in or out of tax season.