Tax season is one of the high points of the cybercrime calendar.
If you look at your tax documents, you may notice that they contain all sorts of useful information about you. At any time of the year, any cybercriminal would be delighted to have access to this data. During tax season, they can turn an easy profit by filing your taxes before you do and stealing the refund.
Hackers and Cyber Criminals
Ah yes, we’re back to the dark web and the hacker industrial complex. This isn’t a bunch of teenagers in a basement. Ok well, it might be some teenagers in a basement but it’s also a fully functional marketplace at scale where experienced cybercriminals are selling products and services to entry-level hackers at a significant profit.
According to Carbon Black, “Research into various marketplaces on the dark web found W-2 forms, 1040 forms and how-to guides for illicitly cashing out tax returns available. W-2s and 1040s are available on the dark web at relatively low cost, ranging from $1.04 to $52. Names, Social Security Numbers (SSNs) and birthdates can be obtained for a price ranging from $0.19 to $62. For a more comprehensive investment (around $1,000) a relatively inexperienced hacker can purchase authenticated access to a U.S.-based bank account, file a false tax return, claim the IRS refund and cash out via a cryptocurrency exchange for a 100+% return on investment. …”
Last year there were many stories in the news about criminals filing fake tax returns. In one case earlier this year, four defendants defrauded the IRS by using stolen identities to file tax returns and obtain refunds, they pleaded guilty.
Good cybersecurity practices are important throughout the entire year in order to protect yourself, your family, and your teams online. However, the additional risks associated with tax season mean it’s a good idea to keep spidey senses up, and take a few extra steps to keep yourself secure. Pass it on!
- File as soon as possible.
The IRS works on a first-come, first-served basis when it comes to your taxes. By not waiting until the last minute, you shorten the window where a scammer can put in a fake return before you do
- Keep software up to date.
Entire families of malware are focused solely on stealing data and filing fraudulent tax returns. Keeping your antivirus updated (and running it regularly) and installing software updates often minimizes your chance of infection.
- Watch out for phishing.
Phishing attacks top the IRS’s list of the most common threats during tax season. Before clicking a link, entering credentials, opening a file, or sending off any type of data, take an extra step to validate the email’s sender.
- It’s not just email.
Phone calls are a favorite tactic of tax scammers. The IRS will never call you and certainly won’t ask for sensitive data over the phone or tell you to pay your tax bill in prepaid gift cards. Scammers sometimes even use fake names and phoney IRS ID numbers to con people out of money and information. If the call is not picked up, the scammers often leave an emergency callback request message! The nerve. The IRS also warns this year about a new twist on the IRS impersonation phone scam whereby criminals fake calls from the Taxpayer Advocate Service. If you do get a call, and you do answer it, just hang up.
- Don’t use public WiFi.
While public WiFi is great, and cafes provide the caffeine that you need to make it through all of the screens on your tax return, don’t use public WiFi when performing sensitive actions. Take your drink to go and pay taxes from your couch.
- Use strong account passwords.
People commonly use weak and reused passwords, making it easy for cybercriminals to gain access to their accounts. Use a password manager to assign a strong, unique password to all of your online accounts.
- Use MFA when possible.
With the number of recent data breaches, there is a good chance that the password you use for everything has been leaked. Turning on multi-factor authentication makes it harder for a cybercriminal to use it to steal your data.
- Securely destroy documents.
Throughout the year, and during tax season in particular, you probably end up with a lot of sensitive paperwork. Make sure that it is shredded properly. As disgusting as it sounds, people may be willing to dig through trash for it.
- Opt-out of “preapproved” credits offers.
You’ve probably gotten “preapproved” offers for a credit card that you don’t want. Criminals, on the other hand, would love a card in your name. These companies offer an opt-out option. Take them up on it.
Preventive Measures During Tax Season
Taking these steps can dramatically decrease your risk of being the victim of identity theft and tax fraud. However, if you try to file your taxes and the application is rejected, it may mean that the cybercriminals did so first. If this is the case, act immediately and:
- call the IRS Identity Protection Specialized Unit (IPSU) at 1-800-908-4490 to report it.
- You can also File an ID theft affidavit: You can document the identity theft by submitting a police report and the IRS ID Theft Affidavit (Form 14039).
- Contact your state tax organization: Your state taxes may be affected as well.
- Document your case: Download the free ID Theft Help app from ITRC to track your case as you go through the resolution process.
- Call the ITRC: You can receive no-cost assistance from a victim advisor by calling 1-888-400-5530.
In a summary of the findings Carbon Black found these scary statistics with specific numbers showing the low cost to get sensitive data:
- W-2s and 1040s are available on the dark web at relatively low cost, ranging from $1.04 to $52. Names, social security numbers and birthdates can be obtained for a price ranging from $0.19 to $62
- For $1K, a relatively inexperienced hacker can purchase authenticated access to a U.S.-based bank account, file a false tax return, claim the IRS refund and cash out via a cryptocurrency exchange for a 100+% return on investment.
- How-to guides for cashing out other people’s tax returns are available for around $5 but one offer, claiming to be the most comprehensive guide for tax refund cash out, was listed for $70
- A hacker can now provide stolen/purchased identity information (Name, DOB, SSN, etc.) and receive an original image of some person holding a forged passport with matching picture/information and scans of the forged identity documents.
Want More Fuzz? Subscribe To Our Newsletter!
We don't spam or send lots of junk. But if you do want to hear from us when we've published something cool or released another video, please join our mailing list.