Tax Scams in Full Bloom



With just two weeks left before the U.S. tax filing deadline, tax fraud is in full swing.

It’s spring, and in the springtime, a young man’s fancy turns to taxes. Well, maybe not his fancy, but his thoughts, certainly. And it’s not just the law-abiding taxpayers who have these thoughts, but also the large population of scammers and fraudsters, for whom tax season is their Super Bowl.

Since the beginning of the electronic filing era, attackers have been preying on consumers’ uncertainty and confusion about the process. Phishing emails with a variety of tax-related lures have been circulating for the better part of 15 years now, and still are remarkably effective. Thousands of people fall for these scams every year, sending money or personally identifiable information to fraudsters and setting themselves up for years of headaches and paperwork to try and recover from that mistake. Despite years of education and warnings from security experts and the IRS, fraudsters have no trouble finding victims for these scams.

In the last couple of years, the volume of tax-related scams has increased dramatically. The IRS warned earlier this year that it has seen a 400% jump in the number of tax phishing scams this year alone. Those phishing threats are well-understood, if not always well contained. But the newer and perhaps more dangerous threat is coming through the phone channel. Scammers have found that many of their phishing emails wind up in recipients’ spam folders and never have a chance of making them any money, so they’ve moved to a more direct approach.

Fraudsters use special software to spoof the number that will show up on a victim’s caller ID to make it look like the call is coming from the IRS. They will claim to be from the IRS and tell the victim that he has failed to pay taxes in previous years and is about to be arrested. The only way for the victim to avoid winding up in jail is for him to pay the fictional back taxes immediately. The scammer tells the victim that the police are planning to come to his house later that day, and that he needs to send a Moneygram or wire transfer to a specific account right away.

Of course, the IRS doesn’t make these kinds of calls. If you owe back taxes, the agency will send a series of letters and won’t ever demand that you pay via Moneygram. But many people have a visceral fear of the IRS and aren’t necessarily sure that they’ve done their taxes correctly, so they are soft targets for these scams. Criminal gangs have sophisticated research and reconnaissance operations that spend considerable time looking for likely victims for their phone scams. They look for taxpayers who may be susceptible to high-pressure tactics, often elderly people or those in their early 20s who may not understand the tax process well.

Recently, fraudsters have begun to move to a different kind of tax scam. Rather than using the high-pressure technique of demanding payment for back taxes, the scammers are calling victims and saying the have their tax returns and just need to confirm some details before processing them. The caller will then ask the victim to confirm his Social Security number, bank account information, home address, and other personal details. That data is then used for identity theft schemes and future attacks.

“The IRS won’t be calling you out of the blue asking you to verify your personal tax information or aggressively threatening you to make an immediate payment,” IRS Commissioner John Koskinen said.

With April 18 looming, scammers are stepping up the pressure on victims, trying to make the most of the time they have left before the tax deadline.

Dennis Fisher

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.