When you’re a criminal looking to separate consumers from their money, IRS-induced panic is second to none as a motivator for getting people to pay up. While the IRS has been doing a great job lately of educating the public about these threats (and it recently kicked off its latest “Dirty Dozen” tax time scams to watch out for), cybercriminals are nothing if not creative. They are constantly evolving their tactics and tricks to catch unwary consumers off-guard.
Here are several tricks consumers need to watch out for during — and after — the tax season.
Tax ransomware
Criminals make a lot of money from ransomware, so they’re constantly looking for new schemes they can use to snag victims.
Tax season is a great time for this because people are more inclined to open an email attachment if it pertains to their tax filing. A common scam is to send a fake email that claims to be from an employer, or the employer’s accounting or HR firm, with an attached W2 or W4 form. Similarly, a hacker may spoof the IRS or a state taxing authority to send you an urgent notice via email.
Ultimately, the scammer will try to get you to open the attachment or click on the embedded link. Either method can execute the ransomware payload, which will then encrypt your computer until you pay the ransom.
Combo attacks
The average person is more wary of phishing emails these days, so criminals are upping the ante by combining this with another means of contact — usually a phone call, but occasionally it may be a text message too.
Criminals often use phone banks to carry out sophisticated frauds. The caller is likely to sound highly professional and will be able to create the impression of representing a legitimate government agency or company. In a combo attack, the caller will lay the groundwork for an upcoming phishing email, perhaps promising to send a document or link that is urgent for your case.
People are far more likely to open a malicious email if they’ve been contacted ahead of time.
Impersonator websites
Fake websites are another common tactic used around tax time. Typically, these “spoofed” sites are created for the sole purpose of tricking people who have been targeted with a phishing email.
For instance, an email that claims to be from the IRS will contain an embedded link that redirects the consumer to a web page which looks exactly like a real IRS website.
However, criminal hackers may also set up fake websites to ensnare consumers who are doing specific types of Google searches. These may be websites which offer extremely cheap tax return services, or money back guarantees on the return. They may also offer IRS remediation services.
The ultimate goal of a fake site is to steal your personal information or credit card number. Keep in mind, there are plenty of non-malicious websites which also run these types of promotions, but any business that is offering a too-good-to-true offer is best to steer clear of either way.
Ghost tax return preparers
Anytime you use a professional tax return service, the tax preparer is supposed to include a Preparer Tax Identification Number (PTIN) on the paperwork you submit to the IRS. Any return that doesn’t include this number is considered by the IRS to be self-filed. That means you, and you alone, are responsible for any mistakes.
“Ghost” preparers won’t include the PTIN on the tax return they provide you with. The reason for this is quite simple: They’re either not licensed to do this type of work or they are engaging in fraud. Without the PTIN, the tax return can’t be traced back to them.
A ghost preparer will take advantage of consumers in several ways. It may be as simple as charging for a service which they aren’t qualified to perform — and therefore it may contain numerous mistakes that will get the tax payer in hot water with the IRS.
However, they could also be more devious, by deliberating falsifying income or deductions in order to convince the client she will get a bigger refund from the IRS — and perhaps base the service fee on this amount. They could also require that IRS refunds be routed to their company bank account before being issued to the client — which means they could steal the refund outright.
In addition to being overcharged or bilked out of a refund, the bigger issue for consumers is that they could be accused by the IRS of submitting a fraudulent tax return.
Cryptocurrency scams
Given all the buzz about cryptocurrency, it’s no wonder that criminals are now using it in new scams targeting consumers.
Cyber crooks routinely troll through public crypto forums and social media networks to identify account holders, or they may buy lists in the Dark Web taken from prior breaches. They then contact the person via phone, email or social media and claim that they are guilty of tax fraud, or otherwise in violation of the law, because of their crypto holdings, and they must pay a fine immediately to avoid prosecution.
However, they may also call regular consumers, who don’t own any crypto, and demand they pay a tax penalty with Bitcoin, Monero, Dash or other altcoins, in order to process it immediately.
This may seem like an obvious con, but when you consider that a growing number of businesses are accepting Bitcoin transactions, and even the state of Ohio now accepts tax payments using Bitcoin, it’s easier than you think to get tricked by it, especially when the caller is threatening arrest or asset seizure for failure to comply.
The data breach con
Scammers are also using your personal information against you.
Think about all of the companies and government agencies which have suffered data breaches in the last six or seven years. Much of that data is now circulating in the Dark Web and available for purchase on identity theft forums.
Scammers will buy this data and use it to make themselves appear legitimate when they contact you by phone or email. After all, when a criminal calls you using a spoofed IRS phone number, and can tell you the last four digits of your Social Security Number, or email address, or home address, or account password, it’s not hard to see how some people may be duped into believing it’s the real thing.
How to stay safe
As you can see, there are many tricks scammers will use to steal your money during tax time. The good news, however, is that it is fairly easy to avoid them.
The best advice is to simply not respond directly to unsolicited emails, phone calls, text messages or social media messages. Understand that the IRS’s preferred means of communication is snail mail. They will never ask for personal information via email.
If you are contacted by someone claiming to be from the IRS, do not provide any personal or financial information until you know you are talking to a real IRS official. The only way to know for sure is by visiting IRS.gov and calling the agency at its listed phone numbers.
Additionally, be sure to take basic security measures to protect your information. Make sure your computer is up to date with the latest software and has robust antivirus with anti-phishing support installed. Never use an unencrypted WiFi network.
Change your passwords, and make sure to use lengthy combinations of letters (including upper and lower case), numbers and special symbols. Don’t share tax return information with your accountant, employer, family or anyone else via unencrypted email.