Tax Season Scams

As tax season comes to a welcome close (file your returns – or an extension — by April 18!), a recent spike in phishing attacks camouflaged as official IRS emails reminds us that basic cyber-hygiene, like fundamental third party risk management (TPRM) practices, remain pivotal even when tax-filing deadlines, current events, and the latest cyber-attack variants tend to overshadow their enduring utility.

Ways Taxpayers Can Avoid Cyber Scams During Tax Season

Fortinet’s FortiGuard Labs recently issued a warning that bad actors were capitalizing on taxpayers’ focus on 1099s, W-9s and other income-tax filing requirements by pursuing two tax-centered scams. One consists of a malicious email claiming to originate from the IRS; the message contains a malicious Microsoft Excel file designed to deliver a piece of malware, Emotet, that first appeared in 2014. The second scam is phishing email soliciting recipients to fax personally identifiable information (PII) after completing a phony tax document. The all-CAPS subject line (“NEW YEAR-NON-RESIDENT ALIEN TAX EXEMPTION UPDATE”) and the fact that the email is dotted with typos and sketchy grammar likely alerted some would-be victims of its risks.

Yet, basic clues, as well as back-to-basic cybersecurity practices, can suffer neglect when consumers and businesses are focused on defending against new cyber risks (e.g., those related to Russia’s invasion of Ukraine and the Kremlin’s reaction to sweeping economic sanctions) that receive more prominent news coverage. The fact that bad actors continue to rely on tried-and-true methods of exploiting cybersecurity defenses confirms the value of fundamental risk management practices. The SIG tools, for example, address phishing email risks from two different control-area perspectives (Asset and Information Management as well as Human Resources Security), notes Shared Assessments Sales Manager Christopher Campbell.

How to Identify Cyber Scams In Tax Season

Two of Campbell’s Shared Assessments colleagues were contacted by SC Media to share their insights for research into an article examining how bad actors leverage tax filing season and other current events to pilfer PII, steal credentials and inflict monetary losses on individuals and businesses.

Shared Assessments Senior Advisor Nasser Fattah stressed to SC Media that tax season scams are often unsophisticated. “They are designed to catch one’s attention to eventually trigger a response,” he noted. “For example, ‘Hi, this is the IRS. You have submitted the incorrect tax form. Kindly use the one attached.’ Alternatively: ‘Attached is your 1099.’ Once the file is opened, it loads malware designed to steal sensitive information.”

This year’s tax-related phishing attacks remind Shared Assessments Vice President Tom Garrubba of a “mob-related scam operating out of Florida designed to obtain tax ID numbers several years ago.” That scheme was exposed after enough taxpayers complained to the IRS about missing refund payments.

“The refund checks were, of course, re-routed to the scammers,” Garrubba recalled. “Cyber threat actors – like the birds of Capistrano – are returning to tried and true tactics like phishing to obtain those tax ID numbers. The slick ones are very good at spoofing government notices to a T while others look bogus on first glance due to syntax, spelling, and font errors.”

It is “always wise to follow up directly with any government authority to ensure the authenticity of the notification,” Garrubba added. “That way, the agency can let other policing authorities know of the scams, alert the press to spread the message, and to follow up with other internal and external agencies for next steps.”

It’s also wise to consistently perform tried-and-true risk management practices, such as discussing new threats and leading practices with the third party risk peers and deploying a standardized assessment tool designed to address fundamental risk management needs in an efficient manner.

Blog Footer Toolkit