Best Practices 04-05-2016

Combating Fraud and Cyberscams this Tax Season

Katie Macdonald

It’s tax season for everyone, which means it’s also fraud season. And with the deadline coming up and people rushing to get their taxes submitted on time, it is still critical to remain vigilant, especially if you are planning to file your taxes online.

According to Threatpost, “A 400 percent surge in tax-related phishing and malware incidents is making this tax season the most treacherous yet for taxpayers.” By the end of February, this year’s 1,389 incidents already topped the 2014 yearly total of 1,361 and is already halfway to matching the 2015 total of 2,748.

Further, an audit released recently by Internet security nonprofit the Online Trust Alliance found that 46 percent, or 6 out of 13 tax software websites in an IRS program, failed cybersecurity protocols. Some of the websites had issues with lack of email authentication, according to the OTA, which lets cyber criminals send out phishing emails purporting to be from a company. Other sites had vulnerabilities that could lead to personal information being stolen.

Poor security practices and extensive seasonal fraudulent attempts, combined with everyone filing taxes online will only make company and individual data more susceptible to attack. It is critical to be aware of the scams that could make their way to any company’s inbox, as well as to know how best to prevent such attacks from happening in the first place.

Tax Season Trickery

In 2015, criminals exploited the IRS “Get Transcript” database and obtained personal information and previous year tax returns from more than 330,000 taxpayers. This year’s attacks have included the tried-and-true email phishing. However, there have been newer forms of attacks that include bogus text messages and attempts to trick people into handing over credentials to third-party tax preparation service accounts, as well as fake web ads appearing to be for legitimate e-file companies that download malware when consumers click on them.

The IRS says attackers are also attempting to harvest personal information that could be used to file false tax returns. Scams include email with links to malware-laden websites that install keyloggers. Additionally, the IRS said tax professionals are reporting phishing scams that are seeking their online credentials to IRS services, for example the IRS Tax Professional PTIN System.

"The sophistication of cybercriminals is a lot more advanced than a few years ago. It's hard for the average consumer to tell [if a website or email is legitimate]," said Jason Sabin, chief security officer at DigiCert, in this article. He said that filing firms should up their standards in the face of widespread chicanery.

Keep Tax Information Safe and Prevent Fraud:

CNBC reports that an independent survey by IDT911, a data security firm, says some 63 percent of U.S. taxpayers polled believe that tax fraud "could never happen to me" and are not concerned by the prospect. The study also found that nearly 20 percent of U.S. filers have not ensured that their wireless networks are secure for filing online.

Personal information filed away in companies isn’t safe from attack either; this year scammers have leveraged phishing to gain access to W2 information at several firms, including technology powerhouse Seagate. In February, a hacker targeted Central Concrete Supply Co. by posing as an employee and requesting W2 information. The same scam was used against Mercy Housing Inc., resulting in the company exposing W2 information for all active employees.

The following tips will aid in ensuring company-wide security or personal security:

For Enterprises:
  • Encrypt company communication: In order to avoid the risks of transferring secure information over insecure email servers, enterprises must prioritize email encryption. Through customization of popular email servers, or through proprietary methods, enterprises must secure their communications in order to keep clients’ information secure.
  • Use EV SSL Certificates to secure web portals: The surest way to secure any web portal is through an EV SSL Certificate that offers both extended validation and high-assurance encryption. DigiCert’s EV SSL Certificates are the highest level of encryption certificate available on the Internet (256-bit encryption). This level of encryption is unparalleled on the Internet and will secure any portal from an outside attack. Look for the green bar and organization’s name next to the website address as a sign of a more trustworthy connection.
For Individuals:
  • Do not send personal information over email: It is important to note that the IRS will not contact anyone via email to request any personal or financial information. Government tax collection agencies never contact taxpayers by email to let them know they’ve received a refund.
  • Avoid using search engines: Click on links that go straight to the source. Poisoned search results may inadvertently lead to dangerous sites. To access tax-related information or to download any forms, go directly to the official IRS website at instead of using a search engine.
  • Update software: Always download the latest updates to Windows, as well as any non-Microsoft applications (such as Adobe Reader, Foxit Reader or other applications that read PDF documents). These updates can help prevent infections that take advantage of security vulnerabilities in those products.

Whether the hacks are social engineered or intelligent hacks, the security vulnerabilities around tax season require increased precautions on both the enterprise and individual level. By improving security practices, enterprises and individuals alike will better avoid the dilemmas and expense of attacks—in or out of tax season.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


4 best practices for bulk email senders



Driving digital trust with SOC 2-compliant DNS