The second day of National Tax Security Awareness week focused on the danger posed by phishing scams: communications from criminals posing to be someone else in an attempt to access personally identifiable information (PII). Today’s IRS Newswire highlighted a recent threat and listed six steps for protecting against phishing scams.

While phishing emails and phone calls are probably the most well-known scams employed by identity thieves, it helps to remember that criminals are constantly evolving their tactics. And the IRS reported that 2018 had seen nearly double the number of 2017 phishing email incidents by the end of October, further underscoring the need for staying on top of the latest scams.

The scam specifically mentioned by the IRS used “IRS Important Notice” and “IRS Taxpayer Notice” in the subject line to get victims to open the email. According to the agency, the enclosed messages “[demanded] payment or [threatened] to seize the recipient’s tax refund.” These tactics—warning victims that they are risking fines, lawsuits, or even jail time by not immediately responding—are commonly used to either directly receive payment from victims or get information that can be used to fraudulently apply for credit cards and bank loans or file tax returns.

Two recent phishing strategies not mentioned in the press release are the “Tax Transcript” and “Refund Deposit” scams. The former included a link that installed malware designed to steal financial information. The latter is a little trickier, using stolen PII to file a tax return that deposits the refund in the victims’ actual bank account. To get their hands on the money, fraudsters pose as an IRS agent or a collection agency representative and alert victims that the refund was deposited in error. They then warn that the money needs to be returned as soon as possible to a conveniently provided address.

Since phishing scams take many forms, the IRS steps for avoiding them cover a lot of ground. Here’s the full list from the IRS Newswire:

• “Be vigilant; be skeptical. Never open a link or attachment from an unknown or suspicious source. Even if the email is from a known source, approach with caution. Cybercrooks are adept at mimicking trusted businesses, friends, and family—including the IRS and others in the tax business. Thieves may have compromised a friend’s email address, or they may be spoofing the address with a slight change in text, such as name@example.com vs narne@example.com. In the latter, merely changing the “m” to an “r” and “n” can trick people.
• Remember, the IRS doesn't initiate spontaneous contact with taxpayers by email to request personal or financial information. This includes asking for information via text messages and social media channels. The IRS does not call taxpayers with aggressive threats of lawsuits or arrests.
• Phishing schemes thrive on people opening the message and clicking on hyperlinks. When in doubt, don’t use hyperlinks and go directly to the source’s main web page. Remember, no legitimate business or organization will ask for sensitive financial information via email.
• Use security software to protect against malware and viruses found in phishing emails. Some security software can help identity suspicious websites that are used by cybercriminals.
• Use strong passwords to protect online accounts. Each account should have a unique password. Use a password manager if necessary. Criminals count on people using the same password repeatedly, giving crooks access to multiple accounts if they steal a password—creating opportunities to build phishing schemes. Experts recommend the use of a passphrase, instead of a password, use a minimum of 10 digits, including letters, numbers and special characters. Longer is better.
• Use multi-factor authentication when offered. Some online financial institutions, email providers and social media sites offer multi-factor protection for customers. Two-factor authentication means that in addition to entering your username and password, you must enter a security code generally sent as a text to your mobile phone. Even if a thief manages to steal usernames and passwords, it’s unlikely the crook would also have a victim’s phone.”

While security software and password hygiene are always a must, two of the most important words in the IRS list are “be skeptical.” If you’re trying to accommodate a tax client who prefers remote communication, consider using a secure client-facing portal instead of email.

Don’t forget to check back with Taxing Subjects for the rest of the National Tax Security Awareness Day updates.

Source: IRS Newswire