IBM says it’s recently detected a wave of tax-themed phishing messages targeting both businesses and personal email addresses. The emails have been crafted to deliver a Trojan called Trickbot, which can steal bank account information from your internet sessions.
Thanks,
John
From: John Kreuzer
Sent: Tuesday, April 2, 2019 1:23 PM
To: ‘tony@xpective.net’ tony@xpective.net>
Subject: Story Idea: Will Hackers Audit Your Bank Account This Tax Season?
Hi Tony,
As you can imagine, the tax season is a perfect time for the bad guys to audit your bank account.
To-dos have focused on fraud alerts, credit freezes and monitoring to curtail thieves’ ability to open new accounts in victims’ names. However, experts say consumers should also start thinking ahead as we find ourselves in the middle of tax season — when criminals could potentially use stolen Social Security numbers to file fraudulent tax returns and snare refunds.
Thought that this topic might be a good one for a timely story. I’ve obtained some commentary on this topic, which can be found below, should you want to write an article for your readers.
If you have any specific questions, please let me know. Happy to obtain some additional insight, outside of the perspective provided below.
Thanks,
John
Nathan Wenzler, Senior Director of Cybersecurity at Moss Adams, a Seattle, Wash. based accounting, consulting and wealth management firm:
“April 15 is a well-known deadline for a lot of people, often inducing a mad scramble to get their taxes prepared and submitted to the IRS. But, it’s also a time when cybercriminals take advantage of this time to shift their scamming efforts into overdrive. This year, the risk of financial loss and identity theft from these IRS scams is even higher, as criminals are now leveraging far more detailed, personal data that has come from the dearth of data breaches we’ve seen over the last several years. Armed with this personal information, these scams now sound more realistic, more legitimate and more trustworthy, which makes them far more dangerous than ever before.
It’s important to remain vigilant and know how to identify and respond to these scams, even if you’re in that frantic rush to get your taxes in and done by the deadline. Here’s a few things to look out for:
Phone calls claiming to be from the IRS stating you owe money or are about to have criminal proceedings started against you. This has become the most common form of scam in the last few years, and due to the success it’s had in preying upon people’s fears of prosecution or fines, expect to see this technique used more and more. Again, since the scammers now have more personal details about you that they’ve acquired from those data breaches, the conversations may sound very legitimate. But, remember that the IRS does not call anyone to demand payments or ask for financial information like credit card numbers over the phone. Their normal procedure to is send a bill through the mail first, and to work with you for payment plans made over time. If you’re uncertain if you’re being scammed, you should hang up and call the IRS directly at (800) 829-1040, or you can report the scammer to the Treasury Inspector General’s office at www.tigta.gov.
Emails requesting additional personal information to address a tax payment problem or claim a refund. Increasingly, scammers are using more personalized emails as a form of spearphishing attack to lure people to fake websites that may seem very similar to the real thing. These fake sites often use the same graphics and visual structure as the real IRS site, so it can be difficult to know the truth. Remember first and foremost that the IRS will not reach out to you via email first about a refund or payment issue, instead relying on the postal service to deliver initial contact. Also, any email that asks you to click on a link to visit the site in question should be a red flag that something is amiss. Never click on links in emails, but instead, type in the site you want to visit (like www.irs.gov) directly into your browser. Finally, keep an eye out for small tweaks or typos in the domain name or email account that may reveal the message is a fraud. A missing period between “IRS” and “gov” is a quick and easy tell that something isn’t right with the message.
Someone shows up at your door claiming to be an IRS Agent. This is another area that criminals are increasingly using to scam people. Yet again, with so much personal information stolen and available to these attackers, they can easily find out where someone lives and other details in order to visit them and attempt to swindle them face-to-face. Like the other forms of contact, the IRS relies on mail first, and rarely sends out actual agents to visit anyone over a tax issue. Always insist that you won’t do business with the IRS in person at your home, and that you will contact their office directly via official contact numbers or the IRS website. Do not take contact info from someone who’s at your door, and report this incident immediately to the authorities.
Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers:
“Identity theft is the biggest concern with filing taxes. This means that someone files taxes on your behalf and receives your tax refund. Your claim would be rejected leaving you to contend with proving your identity to the IRS and hoping to get your refund someone else already collected. Normally the recommendation is to not share personal information or sensitive data like social security numbers, but because of major hacks like Equifax, this information may well already be on the dark web for sale to anyone who wants it. In this instance it, it does make sense to file as quickly as possible to limit the window of opportunity for an attacker who might impersonate you and steal your tax returns.
The second risk is phishing where someone were to call or email you and demand a payment with the hopes that you provided bank account or credit card information. The IRS would never call or email directly requesting a payment or would it ask for personal information online. It is best to always ignore all of these calls and reach out to the IRS directly if there are any questions. The final risk is malware attacks from email attachments that can compromise your local system to gain access to sensitive information. The IRS would never send an email with an attachment and all of these should be ignored.”
Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged account management (PAM) solutions:
“The earlier you file your tax return, the lower risk of becoming a victim of cybercrime. If you do not file your taxes, it is more likely that cybercriminals will do it for you. 2018 was another major year of significant data breaches that impacted almost all of the citizens in the US, therefore, with so much sensitive data exposed and available on the public internet and in dark web, it is very likely that cybercriminals can probably complete your forms better than you, better not wait and get them done now. Tax scams have already started early and with Identity theft at an all-time high and with the changes with tac reform cybercriminals will be surely taking advantage of this.”
Praveen Jain, Chief Technology Officer at Cavirin, a Santa Clara, Calif.-based provider of cybersecurity risk posture and compliance for the enterprise hybrid cloud:
“The most serious concern is the amount of confidential information available in once place, fertile ground for very deep identity theft. When transmitting this electronically, users must be very diligent as to their use of websites and emails due to the phishing threat. Simple actions that come to mind include never to frequent unsecured websites, and even then, verify URLs. Never open or click on suspicious emails, especially those asking for confidential information. Many agencies in fact offer secured mail services for communication, and these should be used if available. And remember the old adage, ‘the early bird catches the worm.’ Waiting until the last minute results in shortcuts, and shortcuts increase the potential of a breach. Beyond the end user, it goes without saying that agencies and individual tax preparers must protect their cyber posture via training, processes, and technical controls. Their liability is no less than private medical offices subject to HIPAA.”