Scammed and Confused: A New Twist on Tax Scams

The emergence of e-commerce is also seeing a proliferation of digital scams, from schemes that target your online banking app to cons aimed at hijacking your tax return. What can consumers do to stay safe while still availing themselves of powerful online services?

A lot, really - if you’re willing to stop and think, and take all the necessary precautions you can. Security - whether personal or organizational - is a continuous process, not an outcome, and it requires a level of vigilance to stay ahead of the latest attack strategies.

Recently, the IRS shared a surprising but effective new way some tax return scams are being executed: Attackers are using taxpayers’ stolen identity information to fraudulently file otherwise valid tax returns that are due to receive a refund.

They allow that refund to direct deposit into the victim's actual bank account, then the scammers - posing as the IRS - call the victim, demanding that they return what they purport to be “wrongfully allocated refunds.”

Since the victim presumably hasn't yet filed their taxes, it's easy for them to assume a mistake was made, so they are likely to comply with the demand and are subsequently tricked into sending their valid refund to the attacker.

Tips to Avoid Tax Scams

So, what can consumers do to lessen the likelihood they may fall victim to such a scam? Here are a few tips that should help reduce the risk you might be successfully targeted is such a scheme:

  • File your return as early as possible - duplicate fillings typically get denied by the IRS. Also, if you file electronically, you can usually track the progress of your filing and the status of your return online, and receive automatic updates on the process.

  • Check your credit reports, bank statements, and social security records routinely for unusual transactions, and report any suspect activity to the appropriate agency or company as soon as possible.

  • Assume your personal information is already exposed - hundreds of millions of records have been compromised in breaches at companies like Target, Home Depot, and Equifax, as well as government agencies like OPM. In addition, personal information contained in your social media posts make it even easier for an attacker to impersonate you or someone you know.

  • Stay alert - only use apps and websites belonging to organizations you know. Don’t click on links in emails or SMS texts, but instead got to your browser and manually type in the URL making sure nothing is mis-keyed, so you don’t fall prey to typo-squatters.

  • Follow your gut - if you’re unsure if the email, the attachment, or the phone call is from a legitimate source, take the extra steps to validate before you do anything or provide any personal information.

  • Keep your computer system up to date with patches and the latest versions of software so known vulnerabilities cannot be exploited against you.

  • Recognize that traditional antivirus that was preinstalled on your system, or that you bought at the electronics retailer, doesn’t protect you as well as you think it does - these are reactive products that can block known threats from yesterday, but can’t be proactive and protect you from emerging and otherwise unknown threats (but this can).

  • Use multifactor authentication (2FA) and strong passwords - and for those “secret questions” - make sure they are truly secret, or better yet, when asked for your favorite food, instead of saying “pizza” as the answer make up something like “2x5pt*blahblah” that won’t likely be something in your social posts or an obvious answer such as your pet’s name.

  • If you use a shared computer system at home, consider one that is a general purpose “fun system” that may likely have more potential for compromise, and a separate one that is more locked down that can be used for sensitive transactions like banking, medical, and taxes.

  • Demand better - vote with your $$ - consider changing who you do business with if they have failed to protect you adequately or appropriately resolved security incidents/issues that have occurred.

That’s just a start. Additional information on how you can prevent being the victim of financial identity theft, as well as what steps to take if you have been victimized, can be found in this compelling first-hand account of such an ordeal: Identity Theft: The Aftermath and What to Do Next.

Remember, you are the primary stakeholder in your own security, and the best advocate and actor to ensure your own wellbeing. Take time to understand the technology you use and how it can be used against you, then put in the time to make sure you reduce the risk of exploitation as much as possible. Cybercrime is a numbers game in many instances, so don’t be the low hanging fruit.