As taxpayers nationwide file their 2018 returns, they should prepare to do battle with the hackers and fraudsters now coming out of hibernation to confiscate your money.
Their most dangerous threat this year is the Emotet trojan. If accidentally downloaded, this malware virus hunkers down hidden inside your computer, allowing the hacker to spy on and redirect your data. Emotet already lurks amid the computer software of many banks and financial institutions and tries to trick people into downloading infected documents. Most businesses are now aware of it and have purged it.
But here’s the new wrinkle: “We’ve noticed this scam also masquerading as the IRS,” said agency spokesperson Richard Sanford. The scam email comes with an attachment labeled Tax Account Transcript — or something similar — and the subject line contains a variation on the phrase “tax transcript.”
It appears to be a summary of your tax return, so it’s tempting to open. But “don’t do it,” urged Sanford. “We do not send unsolicited emails to the public, nor would we email a sensitive document such as a tax transcript.”
But what should you do if such a document comes from your accountant or tax preparer? Unfortunately, those sources can be the weak link — and scammers know it. Since tax preparers do business with a broad range of the public, hackers could be hiding among their clients, making your accountant more vulnerable than the IRS.
A major fraud was uncoveredin tax preparers’ offices in which “infected computers provided access to the complete return data of thousands of consumers.” The hackers invaded five to seven firms a week, infecting everything from routers to cell phones, and then filed refund claims for these unwitting taxpayers.
When the IRS caught onto this scheme, it issued a release that warned tax preparers about the “high risk.” But the agency places primary responsibility on the tax professional. Although the IRS offers support, it nonetheless warns that the law requires tax preparers to protect themselves with a robust security plan. The agency even suggests hiring “white hat” hackers to show the accountants their vulnerabilities.
Can small accounting firms play defense against an ever-growing army of attackers — including countries — that can easily overwhelm even major corporations? One insurance executive who took his previously “scrubbed” laptop to China discovered it contained three “evil maid” viruses after his hotel stay.
Your information is out there
Hackers claimed 16.7 million U.S. victims in 2017 alone, cheating them out of $16.8 billion, according to an annual study by Javelin Strategy & Research. And according to Menlo Security, another cyber protection firm, 42 percent of the top 100,000 internet sites have either been compromised or are using vulnerable software.
“Cyberthreats are dramatically increasing, and during tax season, almost all of your personal information is out there,” warned Michael Tannenbaum, head of the North American Cyber Practice at Chubb, one of the world’s largest insurers. “While it may be convenient to file online, it also exposes you to a variety of risks.”
Hackers can also morph into phone spoofers, either when they’re after your legitimate tax return or to get the illegitimate tax refund from the return they’ve created. New technology that telemarketers use to get the unwary to answer calls also works for scammers. It allows them to spoof, or mimic, real numbers, including those of the IRS.
“Criminals call, claiming to be from a local IRS Taxpayer Assistance Center (TAC) office,” said agency spokesman Sanford, “having programmed their computers to display the TAC telephone number that appears on the taxpayer’s caller ID.”
If the taxpayer becomes suspicious and questions the demand for tax payment, the scammer directs them to the IRS.gov website to look up the local TAC office phone number for verification. The scammer hangs up, waits a few minutes, then calls back a second time with the falsified caller ID. By now the taxpayer could be scared, convinced and agreeable to the scammer’s demand, which usually entails payment on a debit card.
If this still doesn’t work, the hapless taxpayer is bombarded with similar spoofing calls from local sheriffs’ offices, police departments, state motor vehicle offices and other federal agencies, making threats for payment. It probably sounds convincing, unless the taxpayer is aware that the IRS never communicates through other government offices this way.
Striking gold with the elderly
This strategy proves particularly effective with immigrants who have limited language skills and fear authority. And scammers truly hit gold when they identify someone over age 70. The elderly on average are taken for about $1,100, more than twice the overall average fraud loss, according to the Consumer Sentinel Network. Maintained by the Federal Trade Commission, it tracks all forms of consumer fraud and identity-theft complaints filed with federal, state and local agencies, as well as private organizations.
The IRS does offer defenses, but you have to know where to look. If you suspect a phony email, go the email@example.com website to report the hack and forward the fraudulent email. The United States Computer Emergency Response Team (US-CERT) issues warnings about versions of trojans and other malware, but new ones are always appearing. The IRS is also asking taxpayers to provide their driver’s license data, according to accountants, reasoning that it’s one piece of data the scammers probably haven’t gotten their hands on. However, offering that information is optional.
before the tax cheats. But it’s not always possible, since you have to wait for your W-2s, 1099s and other financial documents to arrive. Scammers don’t encounter this: They simply forge these documents.
“These criminals are super-smart,” said Emy Donavan, global head of cyber at insurer AGCS, “and they’re creating the largest transfer of wealth in history.”