Most of us look at our payslips and bemoan the amount the government takes from our wages, but we also understand that the money helps fund public services.
So imagine receiving an email from a government tax collector informing you that you’re entitled to a tax refund – or that you haven’t paid enough and need to do so immediately to avoid legal action. Either will likely elicit a dramatic response, and you might not stop to think before replying.
Fraudsters can use predictable responses to their advantage in phishing scams that hack personal and payment information. As the UK deadline for tax returns has recently passed, it would not be totally unexpected to receive such an email. However, it is worth noting that no matter how genuine the sender's email address may seem, HMRC will never send notifications by email about tax rebates or refunds.
In 2017-18, HMRC received 771,227 reports of tax refund and rebate scams and this looks unlikely to decrease, as it can be a very effective way for fraudsters to get access to personal information. Indeed, as a report by Verizon into data breach investigations has shown, nearly one in four (23%) people open phishing emails.
Tax professionals fall prey, too
However, it’s not only the individual tax payer who is at risk. The problem is widespread and can affect both individuals and businesses.
Fraudsters and scammers are actively targeting tax professionals in a bid to gain access to their client’s details. Originally highlighted by the U.S. Internal Revenue Service (IRS), phishing emails impersonating important software update notices are designed to get into a system and steal large amounts of data in a single attack.
In 2018, the IRS noted a 60% increase in bogus email schemes that sought to steal money or tax data, and, as the U.S is currently entrenched in the yearly tax season, the threat of business email compromise (BEC) scams could be even higher than usual. These emails often target human resources or payroll managers to specifically request employee W-2 files, which not only disclose individuals wage details, but their social security numbers and addresses as well.
Both the IRS and HMRC offer comprehensive services and advice to check and report phishing attempts and scams. However, there are steps that employers can also take to protect their employee and client data.
MarkMonitor has a portfolio of anti-phishing solutions which protect a business by preventing, detecting and mitigating threats. Nevertheless, employees must also understand that they are the first line of defence against fraudsters and they should carry out substantial checks before divulging confidential information about themselves or other employees.
HMRC advises reporting phishing email scams here and the IRS recommends organisations receiving W-2 scams to contact both the IRS at email@example.com with the subject line "W2 Scam" and the FBI's Internet Crime Complaint Center (IC3).