The April 15 filing deadline is looming, and so far, the 2019 tax season has been a lively one. Businesses and individual filers alike have been struggling to understand the full ramifications of the significant changes made to the tax code in 2018 under the Tax Cuts and Jobs Act of 2017. Additionally, a government shutdown threw a monkey wrench into the IRS’ ability to process tax returns and issue refunds.
Cybercriminals are expected to take advantage of the confusion and turmoil, increasing their use of tax scams to steal personal information and email credentials.
Tax scams are attractive to hackers because of the breadth of personal information available on tax forms, including names, birth dates, social security numbers, wages, and addresses. In some cases, companies applying for employer identification numbers (EINs) were tricked into signing up via fake websites. Other scams involve tricking HR employees into changing direct deposit information, or companies hiring fraudulent tax preparers to handle their accounting.
W-2 scams are a common problem as well as a form of business email compromise attack. The cybercriminals impersonate a company executive using a spoofed account or an already compromised account and request W-2 forms. Most of these emails don’t contain malicious attachments or URLs, and because they are leveraging a legitimate (yet compromised) email account, they are difficult to detect or block using blacklists, signatures, URL protection, and sandboxing.
When successful, these attacks result in data from the W-2 being used for identity theft. Not only are victims compromised, but they also bear the cost of identity theft protection services moving forward.
Practical tips to avoid tax scams
Here are a few steps you should follow to protect your customers avoid getting involved in tax scams:
- Deploy advanced anti-phishing protection that leverages technology like machine learning to analyze communication patterns. Artificial intelligence and machine learning can also help detect account takeover attacks. Additionally, use DMARC (Domain-based Message Authentication, Reporting and Conformance) authentication and enforcement to help reduce domain spoofing.
- Use data loss prevention (DLP) solutions and business policies to block emails that include W-2 forms and other sensitive documents from leaving the company’s servers. During tax season, perform regular searches for emails with tax form attachments or other tax-related information.
- Step up security training around tax time to help raise awareness of tax fraud and perform additional phishing simulations to identify at-risk employees.
- Make sure email accounts are protected with the right level of authentication, and robust password policies are in place.
- Encourage customers to institute additional policies to protect against scams – like requiring verbal or in-person confirmation of any request for financial or other sensitive information, or wire transfers.
Even tax preparers themselves are targets. Their files contain sensitive information and customer data, and last year the IRS reported receiving numerous reports from tax preparation firms that had been the victims of data theft. If your customers are using an outside firm to handle their taxes, make sure they have done their due diligence in evaluating their data protection systems and confirmed their validity by requesting a Preparer Tax Identification Number and verification of their CPA status.
If a customer becomes the victim of a W-2 scam, make sure they report the incident to the IRS and launch an internal investigation to determine the scope of the problem, eliminate malicious emails, and disable any compromised accounts.
Finally, remind customers of the following truths for detecting fraudulent messages: The IRS almost always contacts individuals through snail mail. They don’t call. They don’t e-mail. They don’t demand personal information or payment over the phone.
With security protocols and protections in place, your clients can get back to sorting through the confusing array of new tax rules and getting their returns filed on time.
Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.