The prevalence of tax fraud in the digital age has increased exponentially with businesses and individuals alike falling prey to the attacks of savvy hackers. What we are seeing is that these attacks are not advanced at all—they actually use fairly basic tactics. So in the midst of this tax season, here are five ways to avoid becoming the next victim of tax fraud.
1. Ignore Emails From the IRS
The IRS does not communicate via email. It will never send you a request via email, will never ask you for follow-up via email, and will never ask you for personal information via email. If you get an email from anyone at IRS.gov, it is spam, phishing, or a hacker—abort the mission. Do not click on the link; do not open the attachment. (Do not pass go; do not collect $200!)
So many people make this mistake because, in the year 2022, one might assume the IRS would be using digital communication. The good news is that the IRS recognizes how easily email can be spoofed, so it has decided as an entity to never communicate with anyone via email. The bad news is that the IRS doesn’t really tell anybody that. So first and foremost, any time you receive an email communication that says it’s from the IRS, ignore it. It’s always going to be a scam.
2. Use Two-Factor Authentication When Setting Up Your Accounts
I know people who log in once a year to file their taxes, and they have used the same password for four years. But these hackers have password databases, so if you’ve used your password in any other account for the IRS, it’s likely already been compromised and in their database, no matter how complex you think it is. To protect yourself from this, it is essential to set up two-factor authentication.
Here’s where it gets tricky: In the last 18 months, hackers have begun what we call SIM hijacking attacks. We’ve seen anywhere from $10 to $15 million taken this way. Essentially, while you’re sleeping, hackers log into your account and take over your SIM card for a short period of time. Your cellphone stops working for five minutes or so, and they get your one-time code to log in. Because we’ve seen it used so much in crypto wallets, we predict this to be a big attack factor in the upcoming year with the IRS. To protect from this, it’s important to switch your two-factor authentication from a phone number to an email address because your email is also protected with a two-factor authentication. Now you’re adding extra layers of complexity.
3. Protect Your Snail Mail
The IRS only sends snail mail. With that, you must be careful, too, because we have seen cases in which people aren’t coming into the office anymore. If their mailboxes get too full, postal carriers will often just leave mail sitting out in the open, vulnerable to theft.
For anyone who has an office, it’s important that somebody goes in regularly to check the mail. We know opening someone else’s mail is a federal offense, but criminals don’t seem to care about that. Once they open it, they will have all your codes because the IRS sends all that. Then, they can call the IRS and impersonate you. With so many people working remotely now, it is important to continue to check your mail and track it on a regular basis.
4. Beware of Fake Checks
This is a simple but highly effective technique we’ve seen with tax credits from the IRS, and I predict we will see the same thing with IRS refunds. These criminals will send you a check that looks like it’s from the IRS, hoping that that the victim will sign their name on the back with their account number and deposit it. Once it’s deposited, the sender will receive an electronic copy of the check, and they have just acquired all of that personal account information.
Then, the sender will write a letter saying, “The IRS is so swamped with refunds that they hired us to do third-party processing. This doesn’t look like an IRS check, but trust us!” First of all, there is no such thing as third-party processing. Second, whenever somebody says to “trust us,” run!
The sender will then enclose a check for $10 or $20 saying that your tax refund was miscalculated. To most people, $10 or $20 is important enough to deposit, and when they do, they actually will get the money. But now the attacker will have the account number, birthday, signature, and everything else because they receive copies of it upon deposit. It is important to always ensure any refund check is actually from the IRS.
5. Use a Non-Windows Device
When filing your taxes online, you ideally want to do it on a non-Windows device like an iPad or an Android. The reason is not because Windows is more vulnerable; we tracked the number of vulnerabilities, and in the last couple of years, Windows is extremely secure. But Windows owns 90% of the installed base, so attackers go after Windows. When we look at all the IRS scams, tax scams, and all the others that are electronically based, they’re all targeted for a Windows operating system. If you’re filling out your taxes on a Windows device, and then you’re checking emails and happen to get hit with a phishing attack or virus or ransomware, all of a sudden, they have access to your computer and your tax information. Doing all finances on a device like an iPad minimizes and reduces exposure, so if you get compromised, attackers won’t get your Social Security number and all your personal data.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Eric Cole is the founder of Secure Anchor Consulting and has more than 30 years of hands-on experience in the cybersecurity field.
We’d love to hear your smart, original take: Write for Us