Computer code criminals might use as means to impersonate people for tax fraud.

With the 2020 tax season underway, cybersecurity analysts are seeing an increase in the number of impersonation attacks focused on stealing personal information through voice phishing, texts, and email.

According to the Daily Mirror and other news sites, taxpayers are at their most vulnerable during income tax self-assessments due to uncertainties over filing processes. Other reports have shown cybercriminals take on the guise of credible organizations to persuade citizens to hand over private credentials. They exploit access to bank accounts and sell the data they’ve secured for additional profit. Wired Magazine’s Louise Matsakis, cybersecurity staff writer, has commented, “…online scammers do more than masquerade as the IRS. Some have created fake versions of online accounting tools like QuickBooks, while others pretend to be tech support agents… to dupe people trying to file their taxes.” 135 million people filed electronically last year according to the IRS, many on their phones.  

 “These attacks…work,” commented Carl Wearn, Mimecast’s Head of E-crime and Cyber Investigation.  Unfortunately, there’s no appreciable way to halt these types of impersonation attacks on a large scale. The best defense depends on individual cyber awareness and an understanding of red flags that suggest foul play.

Phones Are a Common Threat Vector for Impersonation Attacks

Identifying common threat vectors as a taxpayer is a crucial safeguard in protecting information and financial assets, especially going into the 2020 tax season. By banking on an individual’s uncertainty, impersonation attacks generally follow several vectors. They contact targets by vishing and encourage them to call back with private information; they also reach out via text or email, posing as the IRS. These may come as reminders to file or tax preparation offers, and some have begun mailing official-looking, fraudulent letters.

Scammers use these avenues to offer fake tax rebates using malicious links. Impersonators often leave accusatory voicemails or emails to manipulate victims and cause fear and alarm. In one example, Business Insider’s senior personal finance reporter Tanza Loudenback writes, “A phone number from Washington, DC, called me and left a voicemail….It was an automated message that said:

Time sensitive and urgent ... we found that there was a fraud and misconduct on your tax which you are hiding from federal government. This needs to be rectified immediately, so please return the call as soon as you receive the message.’”

The IRS has stated they will not reach out to discuss financial matters through email, text, or social media, and calls are generally reserved for follow-up to an official letter. Voicemails like this are a prime example of fraud, playing on the fears of the listener to invoke an impulsive response. Though it may not have worked in the case of Loudenback, thousands of taxpayers fall into these traps every year. Cybercriminals play on taxpayer uncertainty with malicious disinformation, coercing victims into providing banking details, social security numbers, and other personal information.

Recognize Signs of an Impersonation Attack

Impersonation attacks are more common than ever, and a source of risk for taxpayers who lack the necessary cyber awareness to successfully deflect these advances. In 2018, the U.S Internal Revenue Service released a report highlighting a 60% increase in bogus email schemes to steal money or tax data, and tactics are continuously growing in sophistication and scale. Carl Wearn’s research indicates impersonation is the most frequent type of attack and is increasing in use. It’s become a necessity for taxpayers to discern the difference between credible revenue service communications and fraud.

Taxpayers must educate themselves on how to identify signs of foul play. There’s no viable way to lessen the number of attacks happening – the only method to best minimize risk is to recognize there is a threat before it’s too late. The IRS offers useful information on their own protocols.

Scammers have become proficient at playing on the uncertainties of victims, but these ploys are easily detectable when taxpayers are aware of IRS processes. When if doubt, contact the IRS directly with questions and concerns.

Fight Tax Fraud: Cyber Awareness Best Practices

Much like walking to a car alone at night, it pays to be vigilant and aware of any surrounding environment. This is also true of the cyber landscape. Impersonation attackers will seek to exploit taxpayer confusion to persuade and coerce victims into divulging sensitive information. Familiarity with the cyber awareness best practices below will help victims mitigate risk and defend their assets:

  • Filing taxes early can prevent scammers from filing them in a taxpayer’s stead
  • Use password-protected WiFi and login practices when filing electronically.
  • Check URLs for the “s” at the end of “https”, which stands for secure encryption. Any site page without one may be vulnerable to data collection.
  • Only use credible tax filing services, whether it be an online application or an accountant. Be wary of “ghost tax return preparers.”
  • Respond to official IRS communications as soon as possible.

January 2020 will mean tax form processing for everyone, and for many, these steps can seem ambiguous and confusing. But practicing cyber awareness by avoiding voicemails, text messages, and emails that seem suspicious can protect individuals from detrimental financial and data loss. Recognizing the signs may mean all the difference for families throughout the United States this coming tax season.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Waarom aanvallen op gelijkaardige domeinen toenemen

Here’s what to know about look-ali…

Here’s what to know about look-alike domain attacks. … Read More >

Matthew Gardiner

by Matthew Gardiner

Principal Security Strategist

Posted Oct 11, 2018

Why Deepfakes are Revolutionizing the World of Phishing

Since the dawn of social engineering, at…

Since the dawn of social engineering, attack methodology has… Read More >

Jonathan Miles

by Jonathan Miles

Head of Strategic Intelligence and Security Research

Posted Oct 22, 2019

4 eenvoudige tips om vishing te stoppen

With Cybersecurity Awareness Month here,…

With Cybersecurity Awareness Month here, we’re ready t… Read More >

Michael Madon

by Michael Madon

SVP & GM for Security Awareness and Threat Intelligence Products

Posted Oct 23, 2018