The 2016 tax season started with a bang and hasn’t relented! In February the U.S. Internal Revenue Service (IRS) issued press releases indicating that, identity theft, phone and phishing scams are still at the top of their list of “dirty dozen” tax scams – and they’re growing.
By the Numbers
From January through March 2016 MarkMonitor detected an 82% increase in classic web-based phishing attacks targeting the IRS compared to the previous year. Additionally the IRS is reporting a whopping 400% increase in email, phone, or text phishing, malware, and other email-based scams exploiting tax season financial vulnerabilities.
Constantly Evolving Scams
This year a new scam has come on the scene that is infinitely harder to track: Business Email Compromise (BEC). I first discussed BEC scams last fall in relation to wire transfer requests/CEO email impersonations. With these person-to-person emails, often utilizing lookalike domain names, it is nearly impossible to detect suspicious or fraudulent intent. BEC scams take advantage of the trust relationships existing within an organization by anticipating an employees’ willingness to be inherently more responsive and less suspicious of an email from a company executive. It’s another twist on social engineering.
Fraudsters are capitalizing on employee trust by customizing BEC scams to target tax season. As reported by the IRS on March 1, BEC scam emails are being sent in the name of the organization’s CEO or CFO to HR or Payroll personnel requesting employee W-2’s . Unsuspecting HR or Payroll employees are then providing the requested data in a reply email – thereby compromising the identities for the entire organization’s employee roster by supplying social security numbers, addresses, and full names.
How to Protect Your Organization
- Employee education, awareness & empowerment are key to fighting these social engineering tactics. Each employee must understand they are the first line of defense and should question out of the norm communications.
- Employees (and all consumers in general) should be suspicious of pressure to take urgent action or action out of normal business practices.
- Train team members to hit “forward” instead of “reply” so they are forced to type or select the correct “To:” email address.
- Pre-establish internal checks & balances that prevent one person from being able to send a wire transfer or email sensitive information such as an entire employee roster.
For individuals, the IRS advises that they will never demand payment over the phone, call you for personal information, or threaten to bring in local law enforcement for non-payment arrest. Do not give out any personal information over the phone when you receive a call of this nature. Call the IRS at 800-829-1040 for help.