It's tax season — prime time for hackers and scammers
By Ed Leefeldt
As taxpayers nationwide file their 2018 returns, they should prepare to do battle with the hackers and fraudsters now coming out of hibernation to confiscate your money.
Their most dangerous threat this year is the Emotet trojan. If accidentally downloaded, this malware virus hunkers down hidden inside your computer, allowing the hacker to spy on and redirect your data. Emotet already lurks amid the computer software of many banks and financial institutions and tries to trick people into downloading infected documents. Most businesses are now aware of it and have purged it.
But here's the new wrinkle: "We've noticed this scam also masquerading as the IRS," said agency spokesperson Richard Sanford. The scam email comes with an attachment labeled Tax Account Transcript — or something similar — and the subject line contains a variation on the phrase "tax transcript."
It appears to be a summary of your tax return, so it's tempting to open. But "don't do it," urged Sanford. "We do not send unsolicited emails to the public, nor would we email a sensitive document such as a tax transcript."
But what should you do if such a document comes from your accountant or tax preparer? Unfortunately, those sources can be the weak link — and scammers know it. Since tax preparers do business with a broad range of the public, hackers could be hiding among their clients, making your accountant more vulnerable than the IRS.
A major fraud was uncovered during last tax season in tax preparers' offices in which "infected computers provided access to the complete return data of thousands of consumers." The hackers invaded five to seven firms a week, infecting everything from routers to cell phones, and then filed refund claims for these unwitting taxpayers.
When the IRS caught onto this scheme, it issued a release that warned tax preparers about the "high risk." But the agency places primary responsibility on the tax professional. Although the IRS offers support, it nonetheless warns that the law requires tax preparers to protect themselves with a robust security plan. The agency even suggests hiring "white hat" hackers to show the accountants their vulnerabilities.
Can small accounting firms play defense against an ever-growing army of attackers — including countries — that can easily overwhelm even major corporations? One insurance executive who took his previously "scrubbed" laptop to China discovered it contained three "evil maid" viruses after his hotel stay.
Your information is out there
Hackers claimed 16.7 million U.S. victims in 2017 alone, cheating them out of $16.8 billion, according to an annual study by Javelin Strategy & Research. And according to Menlo Security, another cyber protection firm, 42 percent of the top 100,000 internet sites have either been compromised or are using vulnerable software.
"Cyberthreats are dramatically increasing, and during tax season, almost all of your personal information is out there," warned Michael Tannenbaum, head of the North American Cyber Practice at Chubb, one of the world's largest insurers. "While it may be convenient to file online, it also exposes you to a variety of risks."
Hackers can also morph into phone spoofers, either when they're after your legitimate tax return or to get the illegitimate tax refund from the return they've created. New technology that telemarketers use to get the unwary to answer calls also works for scammers. It allows them to spoof, or mimic, real numbers, including those of the IRS.
"Criminals call, claiming to be from a local IRS Taxpayer Assistance Center (TAC) office," said agency spokesman Sanford, "having programmed their computers to display the TAC telephone number that appears on the taxpayer's caller ID."
If the taxpayer becomes suspicious and questions the demand for tax payment, the scammer directs them to the IRS.gov website to look up the local TAC office phone number for verification. The scammer hangs up, waits a few minutes, then calls back a second time with the falsified caller ID. By now the taxpayer could be scared, convinced and agreeable to the scammer's demand, which usually entails payment on a debit card.
If this still doesn't work, the hapless taxpayer is bombarded with similar spoofing calls from local sheriffs' offices, police departments, state motor vehicle offices and other federal agencies, making threats for payment. It probably sounds convincing, unless the taxpayer is aware that the IRS never communicates through other government offices this way.
Striking gold with the elderly
This strategy proves particularly effective with immigrants who have limited language skills and fear authority. And scammers truly hit gold when they identify someone over age 70. The elderly on average are taken for about $1,100, more than twice the overall average fraud loss, according to the Consumer Sentinel Network. Maintained by the Federal Trade Commission, it tracks all forms of consumer fraud and identity-theft complaints filed with federal, state and local agencies, as well as private organizations.
The IRS does offer defenses, but you have to know where to look. If you suspect a phony email, go the [email protected] website to report the hack and forward the fraudulent email. The United States Computer Emergency Response Team (US-CERT) issues warnings about versions of trojans and other malware, but new ones are always appearing. The IRS is also asking taxpayers to provide their driver's license data, according to accountants, reasoning that it's one piece of data the scammers probably haven't gotten their hands on. However, offering that information is optional.
One solution is to file early before the tax cheats. But it's not always possible, since you have to wait for your W-2s, 1099s and other financial documents to arrive. Scammers don't encounter this: They simply forge these documents.
"These criminals are super-smart," said Emy Donavan, global head of cyber at insurer AGCS, "and they're creating the largest transfer of wealth in history."
First published on February 6, 2019
© 2019 CBS Interactive Inc.. All Rights Reserved.
Ed Leefeldt is an award-winning investigative and business journalist who has worked for Reuters, Bloomberg and Dow Jones, and contributed to the Wall Street Journal and the New York Times. He is also the author of The Woman Who Rode the Wind, a novel about early flight.
Snap reports record revenues, but struggles to add users
Struggling social media company gets a badly needed boost in growth, while its losses narrowed
How to avoid common financial mistakes
CBS News business analyst Jill Schlesinger provides practical advice that will help you become more financially savvy
Sexual harassment rife in the legal profession
Many law firms remain an "old boys club," according to survey exploring job-seekers' work experiences
Facebook messenger rolls out unsend feature
After Facebook came under fire for letting Mark Zuckerberg alter message history, it gave all users an "unsend" option
Ban on foie gras in NYC restaurants proposed
Bill would have the Big Apple following California in outlawing delicacy that animal advocates say involves cruelty
Super Bowl commercials 2019: Watch the ads
Check out our rundown of some of the most creative, entertaining and memorable commercials from the big game, as well as those that failed miserably
Apple reveals new, bigger, pricier iPhones and Apple Watch
World's most valuable company unveiled three iPhones, an updated Apple Watch and a new "giveback" program
Sep 17, 2018
5 great new car deals you can get now
As the 2018 model year nears its end, big rebates and good lease deals are plentiful — here are some of the best
Jul 24, 2018
6 of the safest cars on the road
These are the latest new cars to earn the highest rating from the Insurance Institute for Highway Safety
Jun 21, 2018
Mark Zuckerberg grilled over data scandal
EU lawmakers question Mark Zuckerberg about Facebook's role in Cambridge Analytica scandal
May 22, 2018 Original Article