The tax filing season is underway, along with hackers who are busy trying to steal your refund. The IRS issued a warning about the first scam of the season. It targets taxpayers by hacking into computers used by tax professionals, and using client information to file phony tax returns (1).
The official tax filing season began on January 29th this year. That’s when the IRS started accepting 2017 tax returns. The agency identified this new scam just a few days later, saying that hackers had already stolen information from the computers of several tax preparers and filed fraudulent returns.
The IRS said, it’s probably just one of several scams that will show up during this tax season. It says substantial progress has been made to increase security for individual taxpayers, so cybercriminals appear to be going after tax professionals so far this season.
Hackers are also making their phony tax returns look more real with more details about their victims. The IRS said, “Thieves know it is more difficult to identify and halt fraudulent tax returns when they are using real client data such as income, dependents, credits and deductions.”
It also said, hackers are coming up with more creative ways to get a hold of the tax refund. In a few cases involving this scam, the IRS said the hacker directed the refund to the real taxpayer’s bank account. Later, a woman posing as a debt collecting agent calls to say that a deposit was made by mistake, and the taxpayer should forward that amount to a different account.
Beware of the Phishing Email
The IRS is still looking into the source of this scam, but said it’s likely that hackers are gaining access to tax preparer computers with a phishing mail. It said, someone in the office probably clicks on it, which allows the installation of malicious software into the computer system that’s used to steal data.
The IRS has taken steps to fight identity theft and tax return fraud with a partnership called “Security Summit.” It’s a collaboration between the IRS, software companies, tax preparation firms, state tax agencies, and others. The Security Summit website provides updates on the latest scams and how individuals and businesses can protect themselves (2).
Back in November, the IRS held a National Tax Security Awareness Week with a campaign to help educate taxpayers on digital security measures. Individuals are advised to avoid unknown retailers if they shop online, make sure wifi connections are secure, and avoid phishing emails. Up-to-date security software is also important along with the changing of passwords, the encryption of sensitive documents stored on your computer, and the use of multi-factor authentication.
Don’t Take the Bait Campaign
As for this latest scam, the IRS added it to an educational series for tax preparers called “Don’t Take the Bait.” It’s part of a campaign called “Protect Your Clients, Protect Yourself,” which focuses on the need for increased computer security among tax professionals (2).
In addition to advice on identifying and avoiding phishing emails, the series helps educate tax preparers about account takeover tactics, ransomware attacks, W-2 email thefts, and other security issues. And it offers advice on how to make data security an every day priority.
IRS Commissioner John Koskinen said, “Cybercriminals are increasingly targeting the tax community, and tax practitioners play a critical role in helping safeguard their client data as well as their own.” The IRS website also reminds tax preparers, “They have not just an obligation but a legal requirement under federal law to protect taxpayer information.”
Beware of Tax-Related Identity Theft
The IRS also offers plenty of advice for individual taxpayers who discover someone is using their social security number to file for a tax refund. You may be contacted by the IRS or your tax preparer about the discovery. Or, you may discover some other suspicious circumstance, such as a notice about wages from an employer you don’t recognize.
The IRS said, you should always file your tax return even if you think someone else has done so in your name. But, you should also file a complaint with the FTC, place a “fraud alert” on your credit records, and call your bank about any unauthorized banking activity.
If your social security number is compromised, and you are unable to efile your return, you will need to fill out a form called “Identity Theft Affidavit” and submit it to the IRS. If you have taken measures to secure your computer ahead of time, you should be able to avoid all of this.