The growing digitization of personal information is contributing to several cybersecurity concerns, but individual tax data may be especially problematic for potential victims of cybercrime. Personal tax information is encompassing of several identifying details that can be valuable to hackers, including home addresses and Social Security identification numbers. This data can be harvested by cybercriminals for identity theft purposes, such as allowing them to claim tax returns in your name. It can also be sold off online to others looking to profit off of your personal information.
The increasing adoption of social engineering tactics is allowing hackers to single out potential victims much more efficiently, and the sheer volume of data that is exchanged online during tax season offers many possible targets. The IRS warns that criminals targeting tax information are becoming increasingly sophisticated in who they target and how. This includes extending their attacks to new delivery methods and shifting focus to tax professionals and tax preparation software. In addition to scams involving fake calls from the IRS, phishing emails have risen in prominence to contribute to the overall increase in attempted tax fraud.
Phishing for personal tax data has become so pervasive that the IRS has implemented several campaigns to raise awareness among tax professionals. The federal agency has reported on multiple scams in recent years that specifically target tax preparers through phishing emails. These include the false software download messages previously mentioned, which appear as a legitimate email from their tax software provider that directs the recipient to a website with malware disguised as an update for their product.
This malicious software may have a filename that looks virtually similar to the actual tax program, and once downloaded it records keystrokes to extract passwords and other login information. There have even been reports of similar programs that take complete control of the tax professional’s machine to remotely allow the hacker to access this data themselves. This approach has also been applied by some cybercriminals to break into personal tax software installed on home computers. Hackers send a similar phishing email that follows some of the same steps to gain entry into the program. At that point, they can obtain the data directly from the source.
Scammers have conducted several other phishing campaigns that have targeted potential victims with fake email subject lines such as asking for IRS e-Services registration renewal or threatening action if tax returns are not refunded. In addition to federal employees and tax software providers, hackers may masquerade as representatives of banks and credit card companies in order to trick their victims. These attacks are not regulated to tax preparers, but also may often target human resources personnel and those working for educational institutions.
Organizations handling financial data have become big targets for hackers due to the value of the information they store digitally. Cybercriminals are developing their tactics to be able to target gatekeepers of sensitive data more effectively. The availability of personal information online through avenues such as social media enables attackers to seek out and identify potential hacking victims, to the point of being able to build extensive profiles around valuable targets.
If you suspect you may have been a victim of a phishing tax scam, you should inform the IRS right away. If your organization manages financial information for your clients, or if you just want to better protect your data, then contact us to find out about our Phishing Defender solution to ensure you and your employees do not become a victim of a phishing scam.