Beware of Tax Scams

During tax season, threat actors target taxpayers and their data in order to file fraudulent tax returns, collect refunds, and engage in other identity theft schemes. Threat actors seek out tax information, including W-2 information and personally identifiable information (PII) – such as Social Security numbers (SSNs), dates of birth, bank account or credit card numbers, and drivers’ license numbers. They heavily rely on social engineering tactics conducted through email, phone, and text messages. These social engineering scams attempt to appear or sound convincing and authentic in order to trick recipients into disclosing sensitive information or credentials for online accounts. If they can steal a target's data and identity, they can also steal their tax refund. We share some common tax scams and recommendations to help protect your identity, data, and tax refunds.

Tax Identity Theft

Threat actors steal and use tax information, including SSNs, of unsuspecting taxpayers in several ways to file fraudulent tax returns and steal refunds. In order to acquire this information, threat actors may collect information exposed in a network compromise or data breach, or via social engineering campaigns. These social engineering campaigns are often email-based phishing scams that attempt to convince the recipient to divulge W-2 information or PII. Threat actors often target HR and payroll personnel to request this information by impersonating a CEO or other executive.  Threat actors also may purport to be a trusted tax service and send phishing emails with links to spoofed websites that capture and steal information. Threat actors may also send spoofed emails with tax documents available for download via legitimate services, such as DocuSign, to steal account credentials or other information.

Once a threat actor has access to this tax information, they possess everything necessary to pose as you and file a tax return in your name to claim a refund fraudulently. These attempts are often made early in the tax season before most taxpayers file. Typically, victims do not realize they have been targeted until they attempt to file their tax return and discover that it has already been filed and a refund has already been issued. In this instance, an IRS notice will be received, stating that more than one tax return was filed using the same SSN. In addition, if someone fraudulently uses your SSN for work and the employer reports this income to the IRS using your SSN, then you will receive an IRS notice stating you received wages but did not report them.

Threat actors may also file using the name of a deceased person, steal children’s identities to claim them as dependents, and claim a low income with high deductions to maximize the amount of the tax refund payment.

Recommendations

• File early. File your taxes as early as possible to reduce the likelihood of a threat actor filing a fraudulent tax return and stealing your refund. Also, the first tax return filed is the first one that is accepted.
• Enable multi-factor authentication (MFA). Enabling MFA on all tax accounts provides an extra layer of protection against account compromise via credential theft. The IRS and its Security Summit partners announced that MFA will be available on all 2021 online tax preparation products to protect both taxpayers and tax professionals.
• Use an Identity Protection PIN (IP PIN) from the IRS before you file your return. This six-digit number, in addition to your Social Security number, verifies your identity. Once you apply for it, you must provide the IP PIN every time you file your tax return. It is important to note that you cannot opt out once you get an IP PIN.
• Watch out for signs of identity theft. Contact the IRS if you have suspicions that your identity has been stolen, especially if you receive:
  • an IRS notice in the mail about a duplicate tax return;
  • an IRS notice in the mail stating you received wages from an employer you never worked for; or
  • an IRS notice in the mail about additional taxes owed, the refund will be offset, or a collection action is being taken against you for a year you did not file a tax return.

IRS Impersonation Scams

With knowledge of W-2 information and/or PII, threat actors may impersonate the IRS to target taxpayers via unsolicited communications. Threat actors may claim via phone that you did not pay taxes or that you filed them incorrectly and now owe the IRS for back taxes. In order to convince you to reveal personal or financial information, they may threaten arrest or legal action if the money owed is not paid immediately via wire transfer, gift cards, or pre-paid debit cards. The IRS will not call you to request this information, demand immediate payment of an unpaid tax bill, or threaten you.

Threat actors may also claim you are due a tax refund in phishing emails or text messages containing links that, if clicked, direct you to spoofed IRS websites to steal personal and financial information. The IRS does not send unsolicited emails or request personal information, including passwords, PINs, or other information pertaining to their accounts. Threat actors may also send phishing emails with information on tracking the status of tax refunds. These emails contain links that, if clicked, direct you to spoofed IRS websites. Instead, users can track their IRS refund status on the official IRS Where’s My Refund website.

Recommendations

• Beware of communications supposedly from the IRS. The IRS does not contact individuals by phone, email, or text message to solicit information or money. Instead, the IRS sends notices and bills through postal mail.
• Exercise caution with communications. Refrain from divulging sensitive information via phone, email, or text message without verifying the requestor via a separate means of communication before taking any action.
• Navigate directly to websites. Navigate directly to authentic or official websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials on websites visited via links delivered in messages.
• Use secure websites. When sharing personal or financial information, ensure you are using verified, secure, and encrypted websites.

Fraudulent Tax Preparer Scams

Some taxpayers do not file their own taxes and, instead, rely on a tax preparer. Threat actors may pose as legitimate tax preparers to steal and use your information to file fraudulent tax returns and steal refunds. These fraudulent tax preparers may use their “position” to steal your information, base their fees on a percentage of your refund, claim illegal deductions or credits in order to increase their fees, promise bigger refunds than their competition, and promise large refunds without understanding your entire financial background. Scams may also include the promise of tax refund anticipation loans, which are short-term loans provided by the tax preparer against an expected tax refund for the duration it takes the IRS to pay the refund. This loan could have associated interest rates. They may also have refunds forwarded to them instead of you. They may not be willing to go over your tax return with you and then convince you to sign a blank or incomplete tax return. Once you sign the tax return, they may not be willing to review your tax return at a later date, or worse, become suddenly unavailable or unreachable.

Recommendations

• Research your tax preparer. Make sure your tax preparer is qualified and trustworthy before handing over your personal or financial information. The IRS provides a Directory of Federal Tax Return Preparers with Credentials and Selection Qualifications to search for a tax preparer near you.
• Inquire about their qualifications. Ask if the preparer has an IRS Preparer Tax Identification Number (PTIN), which is required for paid tax preparers. It is also important to ask for references and hire a tax preparer who is willing to go over your tax return with you and is available year-round in case any questions or issues come up after filing season.
• Review and understand your prepared tax return. You are ultimately responsible for the information on your tax return. Look over your tax return and address any concerns with your tax preparer before signing it. Refunds should go directly to you and not your tax preparer.
• Ensure your tax preparer is safeguarding your information. Your tax preparer should protect and secure your information on computers, media, and paper documents. Security protections for tax professionals include the implementation of secure systems, strong passwords, and encryption.

General Cybersecurity Best Practices

• Safeguard your information and accounts. Account credentials and other sensitive information, such as your SSN, should not be shared with anyone or saved on your computer or other platforms.
• Use unique, complex passwords for all accounts. Unique passwords for each account prevent password reuse attacks, in which threat actors obtain your password for one account and use it to compromise an additional account using the same credentials.
• Enable MFA where available. MFA is the use of two or more factors to authenticate to an account or service. This significantly reduces the risk of account compromise via credential theft in which your password has been exposed. Even if a cybercriminal obtains a user’s username and password, they will be unable to access that user’s account without their second factor. The NJCCIC encourages users to choose authentication apps, hardware tokens, or biometrics as a second factor over SMS-based authentication due to the risk of SIM-swapping, though using any form of MFA is beneficial. The website TwoFactorAuth.org maintains a comprehensive list of websites that offer MFA.
• Review accounts and report suspicious activity.
• Review account transactions and activity and report any suspicious activity, identity theft, and/or fraud to your financial institution, local police department, the Federal Trade Commission (FTC), and/or the credit reporting bureaus.
• Cyber-related incidents may be reported to the NJCCIC via the Cyber Incident Report form.

References

• NJCCIC Cybersecurity Best Practices
• NJCCIC Don’t Take the Bait! Phishing and Other Social Engineering Attacks
• NJCCIC Spotting a Spoofing
• NJCCIC Compromised PII: Facilitating Malicious Targeting and Fraudulent Activity
• NJCCIC Tax Scams and Identity Theft: What You Need to Know
• FTC IdentityTheft.gov